├── .DS_Store
├── Brute-Force
└── README.md
├── Business-Logic
└── README.md
├── Command-Injection
└── README.md
├── Cookies-Attributes
└── README.md
├── Cross-Origin-Resource-Sharing
└── README.md
├── Cross-Site-Request-Forgery
└── README.md
├── Cross-Site-Scripting
└── README.md
├── Directory-Traversal-File-Include
└── README.md
├── HTTP-Smuggling
└── README.md
├── HTTP-Verb-Tampering
└── README.md
├── Information-Leakage
└── README.md
├── Insecure-Authentication-Class
└── README.md
├── Insecure-Direct-Object-References
└── README.md
├── JSON-Web-Token-Flaw
└── README.md
├── LICENSE
├── Open-Redirect
└── README.md
├── Others
└── README.md
├── Privilege-Escalation
└── README.md
├── README.md
├── Race-Condition
└── README.md
├── SQL-Injection
└── README.md
├── Secured-File-Upload
└── README.md
├── Server-Side-Request-Forgery
└── README.md
├── Server-Side-Template-Injection
└── README.md
└── XML-External-Entity
└── README.md
/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Voorivex/pentest-guide/460e796217aae3471ea549a55e27e0f62a97919d/.DS_Store
--------------------------------------------------------------------------------
/Brute-Force/README.md:
--------------------------------------------------------------------------------
1 | # Brute Force
2 | [https://wiki.owasp.org/index.php/Brute_force_attack](https://wiki.owasp.org/index.php/Brute_force_attack)
3 |
4 | ## References
5 | * [kaspersky - What's a Brute Force Attack?](https://www.kaspersky.com/resource-center/definitions/brute-force-attack)
6 | * [Hydra the logon cracker, a brute-forcing how-to user guide](https://www.pentestpartners.com/security-blog/hydra-the-logon-cracker-a-brute-forcing-how-to-user-guide/)
7 |
8 | ## Examples
9 | * [How I could have hacked all Facebook accounts](http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html)
10 | * [Two Ways to Brute-force Instagram Account Credentials](https://www.arneswinnen.net/2016/05/instabrute-two-ways-to-brute-force-instagram-account-credentials/)
11 | * [How I Could Compromise 4% (Locked) Instagram Accounts](https://www.arneswinnen.net/2016/03/how-i-could-compromise-4-locked-instagram-accounts/)
12 | * [Possibility to brute force invite codes in riders.uber.com](https://hackerone.com/reports/125505)
13 | * [Brute-Forcing invite codes in partners.uber.com](https://hackerone.com/reports/144616)
14 | * [Web Authentication Endpoint Credentials Brute-Force Vulnerability](https://hackerone.com/reports/127844)
15 | * [Possibility to enumerate and bruteforce promotion codes in Uber iOS App](https://hackerone.com/reports/125707)
--------------------------------------------------------------------------------
/Business-Logic/README.md:
--------------------------------------------------------------------------------
1 | # Business Logic
2 |
3 | ## Business Logic References
4 | https://owasp.org/www-pdf-archive/2008.07.17.OWASP.ppt.pdf
5 |
6 | ## Examples
7 |
8 | * [[2020] - [shopify] Takeover an account that doesn't have a Shopify ID and more](https://hackerone.com/reports/867513)
9 | * [[2020] - Change the username for any Facebook Page](https://bugreader.com/marcos@change-the-username-for-any-facebook-page-219)
10 | * [[2020] - Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation](https://hackerone.com/reports/910300)
11 | [[2020] - [Gitlab] Members from parent group keep their access level on a subgroup transfer and are invisible](https://hackerone.com/reports/790786)
--------------------------------------------------------------------------------
/Command-Injection/README.md:
--------------------------------------------------------------------------------
1 | # Command Injection/Execution - Code Injection
2 | [https://wiki.owasp.org/index.php/Testing_for_Code_Injection_(OTG-INPVAL-012)](https://wiki.owasp.org/index.php/Testing_for_Code_Injection_(OTG-INPVAL-012))
3 | [https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013)](https://wiki.owasp.org/index.php/Testing_for_Command_Injection_(OTG-INPVAL-013))
4 |
5 | ## References
6 | * [How To Exploit PHP Remotely To Bypass Filters & WAF Rules](https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/)
7 | * [[2020] - https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/](https://research.nccgroup.com/2020/07/05/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/)
8 | * [[2020] - Apache Tomcat RCE by deserialization (CVE-2020-9484) – write-up and exploi](https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/)
9 | * [[2020] - SQL Injection Double Uppercut :: How to Achieve Remote Code Execution Against PostgreSQL](https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)
10 |
11 | ## Tools / Payloads
12 | * [https://github.com/commixproject/commix](https://github.com/commixproject/commix)
13 |
14 | ## Examples
15 |
16 | * [[2020] - Remote code execution on Basecamp.com](https://hackerone.com/reports/365271)
17 | * [[2020] - Blind SSRF in /appsuite/api/oxodocumentfilter&action=addfile](https://hackerone.com/reports/865652)
18 | * [[2020] - GitLab-Runner on Windows `DOCKER_AUTH_CONFIG` container host Command Injection](https://hackerone.com/reports/955016)
19 | * [[2020] - FULL INFRASTRUCTURE TAKEOVER OF VMWARE CLOUD DIRECTOR (CVE-2020-3956)](https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/)
20 | * [[2020] - Remote Code Execution in Three Acts: Chaining Exposed Actuators and H2 Database Aliases in Spring Boot 2](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database)
21 | * [[2020] - How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM](https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html)
22 | * [[2020] - Remote Code Execution (Reverse Shell) - File Manager](https://hackerone.com/reports/768322)
23 | * [[2019] - Information disclosure of secret_key_base via encoding charcters](https://hackerone.com/reports/460545)
24 | * [[2019] - LFI with potential to RCE on ██████ using CVE-2019-3396](https://hackerone.com/reports/538771)
25 | * [[2019] - User-assisted RCE in Slack for macOS (from official site)](https://hackerone.com/reports/296991)
26 | * [[2019] - Webshell via File Upload on ecjobs.starbucks.com.cn](https://hackerone.com/reports/506646)
27 | * [[2019] - Keybase client: downloaded executables lack "com.apple.quarantine" meta-attribute [macOS]](https://hackerone.com/reports/430463)
28 | * [[2019] - Slack - User-assisted RCE in Slack for macOS (from official site) due to improper quarantine meta-attribute handling for downloaded files](https://hackerone.com/reports/470637)
29 | * [[2019] - Valve - Unchecked weapon id in WeaponList message parser on client leads to RCE](https://hackerone.com/reports/513154)
30 | * [[2019] - Remote Code Execution on www.semrush.com/my_reports on Logo upload](https://hackerone.com/reports/403417)
31 | * [[2019] - Local files could be overwritten in GitLab, leading to remote command execution](https://hackerone.com/reports/587854)
32 | * [[2019] - Potential pre-auth RCE on Twitter VPN](https://hackerone.com/reports/591295)
33 | * [[2019] - U.S. Dept Of Defense - RCE on █████ via CVE-2017-10271](https://hackerone.com/reports/576887)
34 | * [[2019] - Remote Code Execution on www.semrush.com/my_reports on Logo upload](https://hackerone.com/reports/403417)
35 | * [[2019] - RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/](https://hackerone.com/reports/502758)
36 | * [[2019] - Handlebars template injection and RCE in a Shopify app](https://hackerone.com/reports/423541)
37 | * [[2019] - Remote Code Execution At Api.PrivateProgram.Com (CVE-2017-5638)](https://www.mohamedharon.com/2019/04/apache-strust-rce.html)
38 | * [[2018] - Remote Code Execution on a Facebook server](https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/)
39 | * [[2018] - [CVE-2018-18312] regcomp: heap-buffer-overflow write / reg_node overrun](https://hackerone.com/reports/510887)
40 | * [[2018] - RCE due to ShowExceptions](https://sites.google.com/view/harshjaiswalblog/rce-due-to-showexceptions)
41 | * [[2018] - RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi)](https://hackerone.com/reports/303061)
42 | * [[2018] - RCE in `chrome://brave` available for navigation in Release build](https://hackerone.com/reports/395737)
43 | * [[2018] - Remote Code Execution on Proxy Service (as root)](https://hackerone.com/reports/401136)
44 | * [[2018] - How an Instagram’s Story drives me to a Remote Code Execution](https://medium.com/bugbountywriteup/how-an-instagrams-story-drives-me-to-a-remote-code-execution-9ff96458ec89)
45 | * [[2018] - $36k Google App Engine RCE](https://sites.google.com/site/testsitehacking/-36k-google-app-engine-rce)
46 | * [[2018] - Latex to RCE, Private Bug Bounty Program](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
47 | * [[2018] - Remote Command execution due to image tragick](https://hackerone.com/reports/412021)
48 | * [[2018] - Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability](https://hackerone.com/reports/410237)
49 | * [[2018] - Vanilla Forums Gdn_Format unserialize() Remote Code Execution Vulnerability](https://hackerone.com/reports/407552)
50 | * [[2018] - Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical)](https://hackerone.com/reports/410882)
51 | * [[2017] - Facebook's Imagetragick Story](https://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html)
52 | * [[2017] - Exploiting Node.js deserialization bug for Remote Code Execution](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/)
53 | * [[2017] - Taking note: XSS to RCE in the Simplenote Electron client](https://ysx.me.uk/taking-note-xss-to-rce-in-the-simplenote-electron-client/)
54 | * [[2017] - How I got 5500$ from Yahoo for RCE](https://medium.com/bugbountywriteup/how-i-got-5500-from-yahoo-for-rce-92fffb7145e6)
55 | * [[2017] - How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
56 | * [[2017] - Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
57 | * [[2017] - Command Injection in Yahoo Acquisition](https://samcurry.net/how-i-couldve-taken-over-the-production-server-of-a-yahoo-acquisition-through-command-injection/)
58 | * [[2017] - RCE in Imgur by Command Line](https://hackerone.com/reports/212696)
59 | * [[2017] - RCE in Jenkin Instance](https://nahamsec.com/secure-your-jenkins-instance-or-hackers-will-force-you-to/)
60 | * [[2016] - How I Hacked Facebook, and Found Someone's Backdoor Script](https://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/)
61 | * [[2016] - How we broke PHP, hacked Pornhub and earned $20,000](https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/)
62 | * [[2016] - Remote Code Execution by impage upload!](https://hackerone.com/reports/158148)
63 | * [[2016] - How I hacked Pornhub for fun and profit - 10,000$](https://5haked.blogspot.com/2016/10/how-i-hacked-pornhub-for-fun-and-profit.html)
64 | * [[2016] - JetBrains IDE Remote Code Execution and Local File Disclosure](http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/)
65 | * [[2016] - Google Cloud Remote Command Injection (RCE)](https://www.pranav-venkat.com/2016/03/command-injection-which-got-me-6000.html)
66 | * [[2016] - PayPal Node.js code injection (RCE)](http://artsploit.blogspot.com/2016/08/pprce2.html)
67 | * [[2016] - Gitlab - Read files on application server, leads to RCE](https://hackerone.com/reports/178152)
68 | * [[2016] - uber.com may RCE by Flask Jinja2 Template Injection](https://hackerone.com/reports/125980)
69 | * [[2015] - JDWP Remote Code Execution in PayPal](https://www.vulnerability-lab.com/get_content.php?id=1474)
70 | * [[2015] - Telekom.de Remote Command Execution!](http://www.sec-down.com/wordpress/?p=581)
71 | * [[2015] - Magento Remote Code Execution Vulnerability!](http://www.sec-down.com/wordpress/?p=578)
72 | * [[2014] - RCE deal to tricky file upload](https://secgeek.net/bookfresh-vulnerability/)
73 | * [[2013] - XXE in OpenID Led to RCE](http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution)
74 | * [[2013] - Yahoo Bug Bounty - *.login.yahoo.com Remote Code Execution](http://blog.orange.tw/2013/11/yahoo-bug-bounty-part-2-loginyahoocom.html)
75 | * [[2013] - eBay PHP Parameter Injection lead to RCE](https://secalert.net/#ebay-rce-ccs)
--------------------------------------------------------------------------------
/Cookies-Attributes/README.md:
--------------------------------------------------------------------------------
1 | # Cookies Attributes
2 | [https://wiki.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)](https://wiki.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002))
3 |
4 | ## Examples
5 | * [Recon in 2 Minutes and Got $250 Easy](https://medium.com/@cryptographer_/recon-in-2-minutes-and-got-250-easy-630ab426843?_branch_match_id=526660511344466416)
--------------------------------------------------------------------------------
/Cross-Origin-Resource-Sharing/README.md:
--------------------------------------------------------------------------------
1 | # Cross Origin Resource Sharing (OTG-CLIENT-007)
2 | [https://wiki.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007)](https://wiki.owasp.org/index.php/Test_Cross_Origin_Resource_Sharing_(OTG-CLIENT-007))
3 |
4 | ## References
5 | * [Portswigger - Exploiting CORS Misconfigurations](https://portswigger.net/kb/papers/exploitingcorsmisconfigurations.pdf)
6 | * [Advanced CORS Exploitation Techniques](https://www.corben.io/advanced-cors-techniques/)
7 | * [Exploiting Misconfigured Cross Origin Resource Sharing - geekboy.ninja](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
8 | * [Exploiting Misconfigured CORS via Wildcard Subdomains - geekboy.ninja](https://www.geekboy.ninja/blog/tag/cross-origin-resource-sharing/)
9 |
10 | ## Examples
11 | * [[2020] - (CORS) Cross-origin resource sharing misconfiguration in U.S. Dept Of Defense](https://hackerone.com/reports/896093)
12 | * [[2019] - Zoom Zero Day: 4+ Million Webcams & maybe an RCE?](https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5)
13 | * [[2019] - CORS To CSRF Attack](https://blog.usejournal.com/cors-to-csrf-attack-c33a595d441)
14 | * [[2019] - A Simple CORS Misconfig Leaked Private Post Of Twitter, Facebook & Instagram](https://medium.com/@nahoragg/a-simple-cors-misconfig-leaked-private-post-of-twitter-facebook-instagram-5f1a634feb9d)
15 | * [[2018] - [www.zomato.com] CORS Misconfiguration, could lead to disclosure of sensitive information](https://hackerone.com/reports/426165)
16 | * [[2018] - Twiiter - CORS misconfig | Account Takeover](https://hackerone.com/reports/426147)
17 | * [[2018] - Full Account Takeover through CORS with Connection Sockets](https://medium.com/@saamux/full-account-takeover-through-cors-with-connection-sockets-179133384815)
18 | * [[2017] - Exploitation of Cross Origin Resource Sharing on Edmodo](https://medium.com/@Skylinearafat/exploitation-of-cors-cross-origin-resource-sharing-on-edmodo-aa90431a3cb6)
19 | * [[2017] - Cross-origin resource sharing misconfig | steal user information - HackerOne](https://hackerone.com/reports/235200)
20 | * [[2017] - Tricky CORS Bypass in Yahoo!](https://www.corben.io/tricky-CORS/)
21 | * [[2018] - How to hunt insecure CORS](https://medium.com/@fran_bl4kd43m0n/how-to-hunt-insecure-cors-b72f0aa0e56f)
--------------------------------------------------------------------------------
/Cross-Site-Request-Forgery/README.md:
--------------------------------------------------------------------------------
1 | # Cross-Site Request Forgery
2 | [https://wiki.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005)](https://wiki.owasp.org/index.php/Testing_for_CSRF_(OTG-SESS-005))
3 |
4 | ## References
5 | * [Cross-site request forgery (CSRF)](https://portswigger.net/web-security/csrf)
6 |
7 | ## Examples
8 | * [[2019] - Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers](https://hackerone.com/reports/419891)
9 | * [[2019] - CSRF On Connect Account With Github Lead To Account Takeover](https://hackerone.com/reports/542047)
10 | * [[2019] - Path traversal leading to limited CSRF on GET requests on two endpoints](https://hackerone.com/reports/301862)
11 | * [[2019] - Vanilla: FileUpload Plugin: CSRF (delete all attached files)](https://hackerone.com/reports/367966)
12 | * [[2019] - Instacart: CSRF Trial 14 days express subscription)](https://hackerone.com/reports/334139)
13 | * [[2019] - Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account](https://hackerone.com/reports/423022)
--------------------------------------------------------------------------------
/Cross-Site-Scripting/README.md:
--------------------------------------------------------------------------------
1 | # Cross-Site Scripting
2 | [https://wiki.owasp.org/index.php/Cross-site_Scripting_(XSS)](https://wiki.owasp.org/index.php/Cross-site_Scripting_(XSS))
3 |
4 | ## References
5 | * [Hacker101 - XSS Tutorial](https://www.hacker101.com/sessions/xss.html)
6 | * [Acunetix - Cross-site Scripting (XSS) Attackl](https://www.acunetix.com/websitesecurity/cross-site-scripting/)
7 | * [A timing attack with CSS selectors and Javascript](https://blog.sheddow.xyz/css-timing-attack/)
8 |
9 | ## Examples
10 |
11 | * [[2021] - XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers](https://ysamm.com/?p=525)
12 | * [[2020] - [gitlab] - Stored XSS on PyPi simple API endpoint](https://hackerone.com/reports/856836)
13 | * [[2020] - [gitlab] Stored XSS in markdown when redacting references](https://hackerone.com/reports/836649)
14 | * [[2020] - Self XSS in Shopify](https://hackerone.com/reports/982510)
15 | * [[2020] - Stored XSS in collabora via user name](https://hackerone.com/reports/968232)
16 | * [[2020] - $25K Instagram Almost XSS Filter Link — Facebook Bug Bounty](https://medium.com/@alonnsoandres/25k-instagram-almost-xss-filter-link-facebook-bug-bounty-798b10c13b83)
17 | * [[2020] - Stored XSS on upload files leads to steal cookie](https://hackerone.com/reports/765679)
18 | * [[2020] - Reflected XSS in https://blocked.myndr.net](https://hackerone.com/reports/824433)
19 | * [[2019] - Potential unprivileged Stored XSS through wp_targeted_link_rel](https://hackerone.com/reports/509930)
20 | * [[2019] - The Bug That Exposed Your PayPal Password](https://medium.com/@alex.birsan/the-bug-that-exposed-your-paypal-password-539fc2896da9)
21 | * [[2019] - Reflected XSS at https://pay.gold.razer.com escalated to account takeover](https://hackerone.com/reports/723060)
22 | * [[2019] - XSS in GMail’s AMP4Email via DOM Clobbering](https://research.securitum.com/xss-in-amp4email-dom-clobbering/)
23 | * [[2019] - Stored XSS vulnerability in comments on \*.wordpress.com](https://hackerone.com/reports/707720)
24 | * [[2019] - Wordpress Cross-Site Scripting Vulnerability Notification II](https://hackerone.com/reports/460911)
25 | * [[2019] - XSS in Shopify while logging using Google](https://hackerone.com/reports/691611)
26 | * [[2019] - Stored XSS in Wiki pages](https://hackerone.com/reports/526325)
27 | * [[2019] - Stored XSS on https://core.trac.wordpress.org](https://hackerone.com/reports/643908)
28 | * [[2019] - Zomato - Self-Stored XSS - Chained with login/logout CSRF](https://hackerone.com/reports/632017)
29 | * [[2019] - From Parameter Pollution to XSS](https://medium.com/@momenbasel/from-parameter-pollution-to-xss-d095e13be060)
30 | * [[2018] - Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd)
31 | * [[2018] - Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html)
32 | * [[2018] - Blind XSS in one of the Admin Dashboard](https://hackerone.com/reports/419731)
33 | * [[2018] - How I found a stored XSS on thousands of webshops](https://medium.com/intigriti/how-i-found-a-stored-xss-on-thousands-of-webshops-cf6e3134b820)
34 | * [[2018] - Reflected XSS on https://www.zomato.com](https://hackerone.com/reports/311639)
35 | * [[2018] - Reflected XSS on $Any$.myshopify.com/admin](https://hackerone.com/reports/422707)
36 | * [[2018] - XSS on www.paypal.com/paypalme/my/landing](https://hackerone.com/reports/425200)
37 | * [[2018] - hxp CTF 2018: µblog](https://github.com/lbherrera/writeups/tree/master/hxp-2018/blog)
38 | * [[2017] - Cross-Site Scripting to Local File Inclusion on Trello’s App](https://hackernoon.com/cross-site-scripting-to-remote-code-execution-on-trellos-app-699512676f0c)
39 | * [[2017] - App Maker and Colaboratory: a stored Google XSS double-bill](https://ysx.me.uk/app-maker-and-colaboratory-a-stored-google-xss-double-bill/)
40 | * [[2017] - Managed Apps and Music: a tale of two XSSes in Google Play](https://ysx.me.uk/managed-apps-and-music-a-tale-of-two-xsses-in-google-play/)
41 | * [[2017] - [dev.twitter.com] XSS](https://blog.blackfan.ru/2017/09/devtwittercom-xss.html)
42 | * [[2017] - Tinymce 2.4.0 XSS in Shopify](https://hackerone.com/reports/262230)
43 | * [[2017] - Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP](https://hackerone.com/reports/207042)
44 | * [[2017] - Reflected XSS - gratipay.com](https://hackerone.com/reports/262852)
45 | * [[2017] - Uber XSS via Cookie](http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/)
46 | * [[2017] - XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog"](https://hackerone.com/reports/231053)
47 | * [[2017] - Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/)
48 | * [[2016] - Turning Self-XSS into Good XSS v2: Challenge Completed but Not Rewarded](https://httpsonly.blogspot.com/2016/08/turning-self-xss-into-good-xss-v2.html)
49 | * [[2016] - Uber XSS 7000$](http://zhchbin.github.io/2016/09/10/A-Valuable-XSS/)
50 | * [[2016] - AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2](http://www.geekboy.ninja/blog/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/)
51 | * [[2016] - Coming across an XSS vulnerability at Google sites](http://nootropic.me/blog/en/blog/2016/09/20/%E3%82%84%E3%81%AF%E3%82%8A%E3%83%8D%E3%83%83%E3%83%88%E3%82%B5%E3%83%BC%E3%83%95%E3%82%A3%E3%83%B3%E3%82%92%E3%81%97%E3%81%A6%E3%81%84%E3%81%9F%E3%82%89%E3%81%9F%E3%81%BE%E3%81%9F%E3%81%BEgoogle/)
52 | * [[2016] - Combining host header injection and lax host parsing serving malicious data](https://labs.detectify.com/2016/10/24/combining-host-header-injection-and-lax-host-parsing-serving-malicious-data/)
53 | * [[2016] - Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212)](https://mksben.l0.cm/2016/07/xxn-caret.html)
54 | * [[2016] - Yahoo Mail stored XSS #2](https://klikki.fi/adv/yahoo2.html)
55 | * [[2016] - Yahoo Mail stored XSS](https://klikki.fi/adv/yahoo.html)
56 | * [[2016] - Stored XSS on developer.uber.com via admin account compromise](https://hackerone.com/reports/152067)
57 | * [[2016] - Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179)
58 | * [[2016] - Google Account Recovery XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss)
59 | * [[2016] - Google RPO Gadgets Lead to XSS](https://blog.innerht.ml/rpo-gadgets/)
60 | * [[2016] - Sleeping stored Google XSS Awakens a $5000 Bounty](https://blog.it-securityguard.com/bugbounty-sleeping-stored-google-xss-awakens-a-5000-bounty/)
61 | * [[2015] - XSS via Host header - www.google.com/cse](https://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html)
62 | * [[2013] - Google, Open Redirects that Matter](https://sites.google.com/site/bughunteruniversity/best-reports/openredirectsthatmatter)
63 | * [[2013] - How I got the Bug Bounty for Mega.co.nz XSS](https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-co-nz-xss/)
64 | * [[2013] - Google Account Recovery Vulnerability](https://www.orenh.com/2013/11/google-account-recovery-vulnerability.html#comment-form)
65 |
--------------------------------------------------------------------------------
/Directory-Traversal-File-Include/README.md:
--------------------------------------------------------------------------------
1 | # Testing Directory Traversal/File Include (OTG-AUTHZ-001)
2 | [https://wiki.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)](https://wiki.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001))
3 |
4 | ## References
5 | * [File Inclusion Vulnerabilities - Offensive Scurity](https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/)
6 | * [CVV #1: Local File Inclusion](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
7 |
8 | ## Tools / Payloads
9 | * [PayloadsAllTheThings - Local/Remote File Inclusion](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)
10 |
11 | ## Examples
12 | * [[2020] - Arbitrary file read via the UploadsRewriter when moving and issue](https://hackerone.com/reports/827052)
13 | * [[2019] - GoogleBugBounty: Lfi on Production Servers in "Springboard.Google.Com", $13,337 USD](https://omespino.com/write-up-google-bug-bounty-lfi-on-production-servers-in-redacted-google-com-13337-usd/)
14 | * [[2018] - Arbitrary File Reading on pda-test.yandex.ru](https://blog.blackfan.ru/2018/01/pda-test.yandex.ru-file-reading.html)
15 | * [[2018] - How I found my very first CVE
16 | ](https://medium.com/@tungpun/how-i-found-my-very-first-cve-f02557492728)
17 | * [Local File Include on marketing-dam.yahoo.com](https://hackerone.com/reports/7779)
18 | * [Journey from LFI to RCE!!!](https://medium.com/bugbountywriteup/bugbounty-journey-from-lfi-to-rce-how-a69afe5a0899)
19 | * [Local file inclusion at IKEA.com](https://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f)
20 |
--------------------------------------------------------------------------------
/HTTP-Smuggling/README.md:
--------------------------------------------------------------------------------
1 | # Server Side Request Forgery
2 |
3 | [https://wiki.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)](https://wiki.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016))
4 |
5 | ## References
6 |
7 | * [https://portswigger.net/web-security/request-smuggling](https://portswigger.net/web-security/request-smuggling)
8 | * [https://www.pentestpartners.com/security-blog/http-request-smuggling-a-how-to/](https://www.pentestpartners.com/security-blog/http-request-smuggling-a-how-to/)
9 |
10 | ## Examples
11 |
12 | * [[2020] - HTTP request smuggling on Basecamp 2 allows web cache poisoning](https://hackerone.com/reports/919175)
13 | * [[2020] - Unauthenticated request smuggling on launchpad.37signals.com](https://hackerone.com/reports/867577)
14 | * [[2020] - h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)
15 | * [[2020] - XXE-scape through the front door: circumventing the firewall with HTTP request smuggling](https://honoki.net/2020/03/18/xxe-scape-through-the-front-door-circumventing-the-firewall-with-http-request-smuggling/)
16 | * [[2020] - Account takeover via HTTP Request Smuggling](https://hipotermia.pw/bb/http-desync-account-takeover)
17 | * [[2020] - http request smuggling in pscp.tv and periscope.tv](https://hackerone.com/reports/713285)
18 | * [[2020] - Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling on api.zomato.com](https://hackerone.com/reports/771666)
19 | * [[2020] - HTTP Desync Attacks: Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn)
20 | * [[2020] - Password theft login.newrelic.com via Request Smuggling](https://hackerone.com/reports/498052)
21 | * [[2020] - HTTP request Smuggling in Helium](https://hackerone.com/reports/867952)
22 | * [[2020] - HTTP request smuggling using malformed Transfer-Encoding header](https://hackerone.com/reports/735748)
23 | * [[2019] - HTTP Request Smuggling + IDOR](https://hipotermia.pw/bb/http-desync-idor)
24 | * [[2019] - Multiple HTTP Smuggling reports](https://hackerone.com/reports/648434)
25 | * [[2019] - Request smuggling on ████████ (U.S. Dept Of Defense)](https://hackerone.com/reports/526880)
--------------------------------------------------------------------------------
/HTTP-Verb-Tampering/README.md:
--------------------------------------------------------------------------------
1 | # HTTP Verb Tampering
2 | [https://wiki.owasp.org/index.php/Testing_for_HTTP_Verb_Tampering_(OTG-INPVAL-003)](https://wiki.owasp.org/index.php/Testing_for_HTTP_Verb_Tampering_(OTG-INPVAL-003))
3 |
4 | ## References
5 | [https://cheatsheetseries.owasp.org/assets/REST_Security_Cheat_Sheet_Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf](https://cheatsheetseries.owasp.org/assets/REST_Security_Cheat_Sheet_Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf)
6 | [https://www.hackingloops.com/how-to-find-website-is-vulnerable-to-http-verb-tampering/](https://www.hackingloops.com/how-to-find-website-is-vulnerable-to-http-verb-tampering/)
7 |
8 | ## Examples
9 | [[2020] - Private account causes displayed through API](https://hackerone.com/reports/826005)
--------------------------------------------------------------------------------
/Information-Leakage/README.md:
--------------------------------------------------------------------------------
1 | # Information Leakage
2 |
3 | ## References
4 | * [Hidden directories and files as a source of sensitive information about web application](https://medium.com/@_bl4de/hidden-directories-and-files-as-a-source-of-sensitive-information-about-web-application-84e5c534e5ad)
5 |
6 | ## Tools / Payloads
7 | * [RAFT file/directorie lists](https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/)
8 | * [DirSearch](https://github.com/maurosoria/dirsearch)
9 | * [Git Dumper](https://github.com/arthaud/git-dumper)
10 | * [SVN Extractor](https://github.com/anantshri/svn-extractor)
11 | * [S3Scanner](https://github.com/sa7mon/S3Scanner)
12 | * [AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump)
13 |
14 | ## Examples
15 | * [[2019] - NordVPN, Disclosure of User Information](https://hackerone.com/reports/753725)
16 | * [[2019] - Razer, Misconfigured s3 Bucket exposure](https://hackerone.com/reports/700051)
17 | * [[2019] - JumpCloud API Key leaked via Open Github Repository (4000$)](https://hackerone.com/reports/716292)
18 | * [[2018] - MySQL username and password leaked in developer.valvesoftware.com via source code dislosure](https://hackerone.com/reports/291057)
19 | * [[2018] - [staging-engineering.gnip.com] Publicly accessible GIT directory](https://hackerone.com/reports/218465)
20 | * [[2018] - [support.wordcamp.org] - publicly accessible .svn repository](https://hackerone.com/reports/309714)
21 | * [[2018] - How to search for Open Amazon s3 Buckets and their contents](https://medium.com/@grayhatwarfare/how-to-search-for-open-amazon-s3-buckets-and-their-contents-https-buckets-grayhatwarfare-com-577b7b437e01)
--------------------------------------------------------------------------------
/Insecure-Authentication-Class/README.md:
--------------------------------------------------------------------------------
1 | # Insecure Authentication Class
2 |
3 | This page includes following test cases:
4 |
5 | ## Test User Registration Process (OTG-IDENT-002)
6 | [https://wiki.owasp.org/index.php/Test_User_Registration_Process_(OTG-IDENT-002)](https://wiki.owasp.org/index.php/Test_User_Registration_Process_(OTG-IDENT-002))
7 |
8 | ## Testing for Weak Lock Out Mechanism (OTG-AUTHN-003)
9 | [https://wiki.owasp.org/index.php/Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)](https://wiki.owasp.org/index.php/Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003))
10 |
11 | ## Testing for Bypassing Authentication Schema (OTG-AUTHN-004)
12 | [https://wiki.owasp.org/index.php/Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)](https://wiki.owasp.org/index.php/Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004))
13 |
14 | ## Test Remember Password Functionality (OTG-AUTHN-005)
15 | [https://wiki.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005)](https://wiki.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005))
16 |
17 | ## Testing for Browser Cache Weakness (OTG-AUTHN-006)
18 | [https://wiki.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006)](https://wiki.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006))
19 |
20 | ## Testing for Weak Security Question/Answer (OTG-AUTHN-008)
21 | [https://wiki.owasp.org/index.php/Testing_for_Weak_security_question/answer_(OTG-AUTHN-008)](https://wiki.owasp.org/index.php/Testing_for_Weak_security_question/answer_(OTG-AUTHN-008))
22 |
23 | ## Testing for Weak Password Change or Reset Functionalities (OTG-AUTHN-009)
24 | [https://wiki.owasp.org/index.php/Testing_for_weak_password_change_or_reset_functionalities_(OTG-AUTHN-009)](https://wiki.owasp.org/index.php/Testing_for_weak_password_change_or_reset_functionalities_(OTG-AUTHN-009))
25 |
26 | ## Testing for Weaker Authentication in Alternative Channel (OTG-AUTHN-010)
27 | [https://wiki.owasp.org/index.php/Testing_for_Weaker_authentication_in_alternative_channel_(OTG-AUTHN-010)](https://wiki.owasp.org/index.php/Testing_for_Weaker_authentication_in_alternative_channel_(OTG-AUTHN-010))
28 |
29 | ## Testing for Weak or Unenforced Username Policy (OTG-IDENT-005)
30 | [https://wiki.owasp.org/index.php/Testing_for_Weak_or_unenforced_username_policy_(OTG-IDENT-005)](https://wiki.owasp.org/index.php/Testing_for_Weak_or_unenforced_username_policy_(OTG-IDENT-005))
31 |
32 | ## Testing for Default Credentials (OTG-AUTHN-002)
33 | [https://wiki.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)](https://wiki.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002))
34 |
35 | ## Testing for Two Factor Authentication Bypass (EXTRA-TEST-012)
36 |
37 | ## References
38 | * [4 Methods to Bypass two factor Authentication](https://shahmeeramir.com/4-methods-to-bypass-two-factor-authentication-2b0075d9eb5f)
39 |
40 | ## Examples
41 |
42 | * [[2020] - Facebook OAuth Framework Vulnerability](https://www.amolbaikar.com/facebook-oauth-framework-vulnerability/)
43 | * [[2020] - [shopify] Takeover an account that doesn't have a Shopify ID and more](https://hackerone.com/reports/867513)
44 | * [[2020] - [authmagic-timerange-stateless-core] Improper Authentication in NodeJS](https://hackerone.com/reports/736522)
45 | * [[2020] - Ability to link a Google account to another staff account/store owner that isn't linked yet](https://hackerone.com/reports/892904)
46 | * [[2020] - through %09 Character the attacker is able to steal Github Token](https://hackerone.com/reports/763058)
47 | * [[2020] - Leak of authorization urls leads to account takeover](https://hackerone.com/reports/746186)
48 | * [[2020] - OTP Verification Bypass (response edit)](https://medium.com/@rat010/otp-verification-bypass-ee17d68f8425)
49 | * [[2020] - Full account takeover at Reverb.com](https://hackerone.com/reports/314808)
50 | * [[2020] - bypass old password with array in /admin/account-user-email.php](https://hackerone.com/reports/792895)
51 | * [[2020] - Information can be changed without a password](https://hackerone.com/reports/721341)
52 | * [[2019] - Full account takeover via reset password function](https://weblog.seecureapp.com/full-account-takeover-via-reset-password-function/)
53 | * [[2019] - Password Reset Vulnerability (Poisoning)](https://www.acunetix.com/blog/articles/password-reset-poisoning/)
54 | * [[2019] - Password Reset Vulnerability — Full Account takeover (Insecure Direct Object Reference)](https://medium.com/@protector47/password-reset-vulnerability-full-account-takeover-insecure-direct-object-reference-c4a9a3ea8268)
55 | * [[2019] - How I was able to bypass OTP code requirement in Razer [The story of a critical bug]](https://medium.com/bugbountywriteup/how-i-was-able-to-bypass-otp-token-requirement-in-razer-the-story-of-a-critical-bug-fc63a94ad572)
56 | * [[2019] - Password Reset Link not expiring after changing the email Leads To Account Takeover](https://hackerone.com/reports/685007)
57 | * [[2019] - Ability to verify any email address you don't own - accounts.shopify.com](https://hackerone.com/reports/229619)
58 | * [[2019] - Bypassing GitHub's OAuth flow](https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html)
59 | * [[2019] - Analysis of Two Newly Patched Kubernetes Vulnerabilities](https://blog.paloaltonetworks.com/2019/10/cloud-kubernetes-vulnerabilities/)
60 | * [[2019] - How I was able to bypass OTP code requirement in Razer](https://medium.com/bugbountywriteup/how-i-was-able-to-bypass-otp-token-requirement-in-razer-the-story-of-a-critical-bug-fc63a94ad572)
61 | * [[2019] - $3,000 - Bypass Email Verification in GitLab -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain](https://hackerone.com/reports/565883)
62 | * [[2019] - How I abused 2FA to maintain persistence after a password change (Google, Microsoft, Instagram, Cloudflare, etc)](https://medium.com/@lukeberner/how-i-abused-2fa-to-maintain-persistence-after-a-password-change-google-microsoft-instagram-7e3f455b71a1)
63 | * [[2019] - Hijacking Accounts By Retrieving Jwt Tokens Via Unvalidated Redirects](https://www.shawarkhan.com/2019/01/hijacking-accounts-by-retrieving-jwt.html?m=1)
64 | * [[2019] - A Curious Case From Little To Complete Email Verification Bypass](https://medium.com/bugbountywriteup/a-curious-case-from-little-to-complete-email-verification-bypass-2c7570040e7e)
65 | * [[2019] - Insecure Zendesk SSO implementation by generating JWT client-side](https://hackerone.com/reports/638635)
66 | * [[2019] - Password theft login.newrelic.com via Request Smuggling](https://hackerone.com/reports/498052)
67 | * [[2019] - Ability to reset password for account](https://hackerone.com/reports/322985)
68 | * [[2018] - Forget password link not expiring after email change.](https://hackerone.com/reports/411337)
69 | * [[2018] - Bypass HackerOne 2FA requirement and reporter blacklist](https://medium.com/japzdivino/bypass-hackerone-2fa-requirement-and-reporter-blacklist-46d7959f1ee5)
70 | * [[2018] - Password reset token leakage via referer](https://hackerone.com/reports/342693)
71 | * [[2018] - Able to reset other user's password in https://card.starbucks.com.sg/](https://hackerone.com/reports/315879)
72 | * [[2018] - How I bypassed 2-Factor Authentication in a bug bounty program](http://c0d3g33k.blogspot.com/2018/02/how-i-bypassed-2-factor-authentication.html)
73 | * [[2018] - [www.coursera.org] Leaking password reset link on referrer header](https://hackerone.com/reports/303322)
74 | * [[2018] - Instagram Multi-factor authentication Bypass](https://medium.com/@vishnu0002/instagram-multi-factor-authentication-bypass-924d963325a1)
75 | * [[2018] - [www.boozt.com] - Authentication bypass](https://hackerone.com/reports/257305)
76 | * [[2017] - Password reset token issue](https://hackerone.com/reports/253934)
77 | * [[2018] - Password reset token not expiring](https://hackerone.com/reports/170161)
78 | * [[2017] - Password reset link injection allows redirect to malicious URL](https://hackerone.com/reports/272379)
79 | * [[2017] - Forgot password link doesn't expire after used, only after some hours](https://hackerone.com/reports/244642)
80 | * [[2017] - Authentication bypass on Uber’s Single Sign-On via subdomain takeover](https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/)
81 | * [[2017] - SAML Bug in Github worth $15,000](http://www.economyofmechanism.com/github-saml.html)
82 | * [[2017] - Authentication bypass on Airbnb via OAuth tokens theft](https://www.arneswinnen.net/2017/06/authentication-bypass-on-airbnb-via-oauth-tokens-theft/)
83 | * [[2017] - Yahoo Bug Bounty: Exploiting OAuth Misconfiguration To Takeover Flickr Accounts](https://mishresec.wordpress.com/2017/10/12/yahoo-bug-bounty-exploiting-oauth-misconfiguration-to-takeover-flickr-accounts/)
84 | * [[2016] - Paypal 2FA Bypass](https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass)
85 | * [[2016] - OneLogin authentication bypass on WordPress sites](https://hackerone.com/reports/136169)
86 | * [[2016] - OneLogin authentication bypass on WordPress sites via XMLRPC](https://hackerone.com/reports/138869)
--------------------------------------------------------------------------------
/Insecure-Direct-Object-References/README.md:
--------------------------------------------------------------------------------
1 | # Insecure Direct Object References (OTG-AUTHZ-004)
2 | [https://wiki.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)](https://wiki.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
3 |
4 | ## References
5 | * [https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/](https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
6 | * [https://wiki.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet](https://wiki.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
7 | * [https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
8 | * [A Deep Dive On The Most Critical API Vulnerability — BOLA (Broken Object Level Authorization)](https://medium.com/@inonst/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2)
9 | * [How spending our Saturday hacking earned us 20k](https://medium.com/@matti.bijnens/how-spending-our-saturday-hacking-earned-us-20k-60990c4678d4)
10 | * [31-days-of-API-Security-Tips](https://github.com/smodnix/31-days-of-API-Security-Tips)
11 |
12 | ## Examples
13 | * [[2020] - Missing ownership check on remote wipe endpoint](https://hackerone.com/reports/819807)
14 | * [[2019] - Twitter: IDOR and statistics leakage in Orders](https://hackerone.com/reports/544329)
15 | * [[2019] - Lerhan: Bypassing IDOR protection with URL shorteners](https://blog.detectify.com/2019/07/03/lerhan-bypassing-idor-protection-with-url-shorteners/)
16 | * [Trello bug bounty: The websocket receives data when a public company creates a team visible board](https://hethical.io/trello-bug-bounty-the-websocket-receives-data-when-a-public-company-creates-a-team-visible-board/)
17 | * [Trello bug bounty: Payments informations are sent to the webhook when a team changes its visibility](https://hethical.io/trello-bug-bounty-payments-informations-are-sent-to-the-webhook-when-a-team-changes-its-visibility/)
18 | * [Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)](https://hackerone.com/reports/143717)
19 | * [Vulnerability in Youtube allowed moving comments from any video to another](https://secgeek.net/youtube-vulnerability/)
20 | * [Twitter Vulnerability Could Delete Credit Cards from Any Twitter Account](https://secgeek.net/twitter-vulnerability/)
21 | * [One Vulnerability allowed deleting comments of any user in all Yahoo sites](https://secgeek.net/yahoo-comments-vulnerability/)
22 | * [Microsoft-careers.com Remote Password Reset](http://yasserali.com/microsoft-careers-com-remote-password-reset/)
23 | * [How I could change your eBay password](http://yasserali.com/how-i-could-change-your-ebay-password/)
24 | * [Hacking Facebook.com/thanks Posting on behalf of your friends!](http://www.anandpraka.sh/2014/11/hacking-facebookcomthanks-posting-on.html)
25 | * [How I got access to millions of [redacted] accounts](https://bitquark.co.uk/blog/2016/02/09/how_i_got_access_to_millions_of_redacted_accounts)
26 | * [All Vimeo Private videos disclosure via Authorization Bypass](https://hackerone.com/reports/137502)
27 | * [Urgent: Attacker can Access Every Data Source on Bime](https://hackerone.com/reports/149907)
28 | * [Downloading password protected / restricted videos](https://hackerone.com/reports/145467)
29 | * [Get organization info base on uuid](https://hackerone.com/reports/151465)
30 | * [How I Exposed your Primary Facebook Email Address (Bug worth $4500)](http://roy-castillo.blogspot.com/2013/07/how-i-exposed-your-primary-facebook.html)
31 | * [DOB disclosed using "Facebook Graph API Reverse Engineering"](https://medium.com/@rajsek/my-3rd-facebook-bounty-hat-trick-chennai-tcs-er-name-listed-in-facebook-hall-of-fame-47f57f2a4f71)
32 | * [Leak of all project names and all user names , even across applications](https://hackerone.com/reports/152696)
33 | * [View liked twits of private account via publish.twitter.com](https://hackerone.com/reports/174721)
34 | * [Facebook Vulnerability - Delete Any Video on Facebook](https://danmelamed.blogspot.com/2017/01/facebook-vulnerability-delete-any-video.html)
35 | * [Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User](https://stephensclafani.com/2014/07/08/hacking-facebooks-legacy-api-part-1-making-calls-on-behalf-of-any-user/)
36 | * [Hacking Facebook’s Legacy API, Part 2: Stealing User Sessions](https://stephensclafani.com/2014/07/29/hacking-facebooks-legacy-api-part-2-stealing-user-sessions/)
37 | * [Facebook's Bug - Delete any video from Facebook](https://pranavhivarekar.in/2016/06/23/facebooks-bug-delete-any-video-from-facebook/)
38 | * [Airbnb – Web to App Phone Notification IDOR to view Everyone’s Airbnb Messages](https://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/)
39 | * [How I took control of your Twitter account (tweeting, viewing/deleting photos and other media)](http://www.anandpraka.sh/2017/05/how-i-took-control-of-your-twitter.html)
40 | * [IDOR on HackerOne Feedback Review - HackerOne](https://hackerone.com/reports/262661)
41 | * [IDOR to view User Order Information - HackerOne](https://hackerone.com/reports/287789)
42 | * [Generating Access Tokens for any Facebook user.](https://medium.com/bugbountywriteup/how-i-was-able-to-generate-access-tokens-for-any-facebook-user-6b84392d0342)
43 |
--------------------------------------------------------------------------------
/JSON-Web-Token-Flaw/README.md:
--------------------------------------------------------------------------------
1 | # JSON Web Token Flaw
2 |
3 | ## References
4 |
5 | * [Hardcoded secrets, unverified tokens, and other common JWT mistakes](https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)
6 | * [Hackerone - 2018-04-11 - JSON Web Token Security Cheat Sheet](https://www.hackerone.com/zerodaily/2018-04-11)
7 | * [Using JWT (JSON Web Tokens) to authorize users and protect API routes](https://medium.com/@maison.moa/using-jwt-json-web-tokens-to-authorize-users-and-protect-api-routes-3e04a1453c3e)
8 | * [JSON Web Token Cheat Sheet for Java](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.md)
9 |
10 | ## Payloads
11 |
12 | * [PayloadsAllTheThings - JSON Web Token](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token)
13 |
14 | ## Examples
15 |
16 | * [[2020] - [express-laravel-passport] Improper Authentication](https://hackerone.com/reports/748214)
17 | * [[2018] - Hacking JSON Web Token (JWT)](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
18 | * [[2018] - Exploiting JSON Web Token Vulnerability](https://www.moses-security.com/blog/exploiting-json-web-token-vulnerability)
19 | * [[2017] - How to Hack a Weak JWT Implementation with a Timing Attack](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9)
20 | * [[2017] - Brute Forcing JWT Token (HS256)](https://medium.com/@valeriyshevchenko/brute-forcing-jwt-token-hs256-6f545d24c7c3)
21 | * [[2017] - Hackinh JSON Web Tokens - from Zero to Hero without Effort](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
22 | * [[2017] - JWT Hacking 101](https://trustfoundry.net/jwt-hacking-101/)
23 | * [[2017] - Forging JSON Web Tokens To Win a Prize](https://dev.to/antoinette0x53/forging-json-web-tokens-to-win-a-prize)
24 | * [[2017] - JWT Burp Extension](https://blog.compass-security.com/2017/05/jwt-burp-extension/)
25 | * [[2017] - Cracking JWT Tokens](https://www.slideshare.net/loige/processing-your-pdf-into-slides-cracking-jwt-tokens-a-tale-of-magic-nodejs-and-parallel-computing-code-europe-wroclaw-december-2017)
26 | * [[2016] - Attacking JWT Authentication](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)
27 | * [[2015] - Critical vulnerabilities in JSON Web Token libraries](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)
28 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/Open-Redirect/README.md:
--------------------------------------------------------------------------------
1 | # Open Redirect
2 | [https://wiki.owasp.org/index.php/Testing_for_Client_Side_URL_Redirect_(OTG-CLIENT-004)](https://wiki.owasp.org/index.php/Testing_for_Client_Side_URL_Redirect_(OTG-CLIENT-004))
3 |
4 | ## References
5 | * [Understanding and Discovering Open Redirect Vulnerabilities](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/understanding-and-discovering-open-redirect-vulnerabilities/)
6 | * [Using Burp to Test for Open Redirections](https://portswigger.net/support/using-burp-to-test-for-open-redirections)
7 |
8 | ## Examples
9 |
10 | * [[2020] - Safe Redirect Bypass in Twitter](https://hackerone.com/reports/945990)
11 | * [[2020] - Open Redirect filter bypass through '\' character via URL parameter](https://hackerone.com/reports/840736)
12 | * [[2020] - Accepting error message on twitter sends you to attacker site](https://hackerone.com/reports/781673)
13 | * [[2019] - Open Redirection in [https://www.hackerone.com/index.php]](https://hackerone.com/reports/562417)
14 | * [[2019] - Open Redirect in the Path of vendhq.com](https://hackerone.com/reports/692154)
15 | * [[2019] - [dev.twitter.com] XSS and Open Redirect Protection Bypass](https://hackerone.com/reports/330008)
16 | * [[2018] - Open Redirect in SEMrush](https://hackerone.com/reports/311330)
17 | * [[2014] - HackerOne Bug - Redirect Filter Bypass and Open Redirector](https://pranavhivarekar.in/2014/09/19/hackerone-bug-redirect-filter-bypass-and-open-redirector/)
--------------------------------------------------------------------------------
/Others/README.md:
--------------------------------------------------------------------------------
1 | # Other Reports
2 |
3 | Uncategorized reports go here
4 |
5 | ## Examples
6 | [[2019] - MitM attacks on HSTS-protected hosts are possible](https://hackerone.com/reports/461780)
--------------------------------------------------------------------------------
/Privilege-Escalation/README.md:
--------------------------------------------------------------------------------
1 | # Privilege Escalation
2 | * [https://wiki.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)](https://wiki.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003))
3 |
4 | ## Examples
5 | * [[2020] - Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation](https://hackerone.com/reports/910300)
6 | * [[2019] - Users can enable API access for free via mass assignment](https://hackerone.com/reports/267781)
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Penetration Test Guide based on the OWASP + Extra
2 | This guide is for the penetration testers seeking for the appropriate test cases required during a penetration test project. I rearranged the [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents) from my point of view including `9 Test Classes` and each class has several `Test Cases` to conduct against the target. Each `Test Case` covers several OWASP tests which also is useful for the report document. I've also added `15 extra Tests Cases` marked by the `EXTRA-TEST`. I hope it will be useful in both penetration test projects and bug-bounty.
3 |
4 | ### TODO:
5 | 1. Add resources for each test.
6 |
7 | ## Information Gathering
8 | * * **Fingerprint Technologies**
9 | * Fingerprint Web Server (OTG-INFO-002)
10 | * Enumerate Applications on Webserver (OTG-INFO-004)
11 | * Fingerprint Web Application Framework (OTG-INFO-008)
12 | * Fingerprint Web Application (OTG-INFO-009)
13 | * * **Information Leakage**
14 | * [Conduct Search Engine Discovery and Reconnaissance for Information Leakage (OTG-INFO-001)](https://github.com/Voorivex/pentest-guide/tree/master/Information-Leakage)
15 | * [Review Webserver Metafiles for Information Leakage (OTG-INFO-003)](https://github.com/Voorivex/pentest-guide/tree/master/Information-Leakage)
16 | * [Review Webpage Comments and Metadata for Information Leakage (OTG-INFO-005)](https://github.com/Voorivex/pentest-guide/tree/master/Information-Leakage)
17 | * [Analysis of Error Codes (OTG-ERR-001)](https://github.com/Voorivex/pentest-guide/tree/master/Information-Leakage)
18 | * [Analysis of Stack Traces (OTG-ERR-002)](https://github.com/Voorivex/pentest-guide/tree/master/Information-Leakag)
19 | * [Conduct a Fuzzing for Hidden and Sensitive Files or Directories (EXTRA-TEST-014)](https://github.com/Voorivex/pentest-guide/tree/master/Information-Leakage)
20 | * * **Directory Indexing**
21 | * Search for Directory Indexing (EXTRA-TEST-001)
22 | * * **Storing Sensitive Information on Client Side**
23 | * Test Local Storage (OTG-CLIENT-012)
24 |
25 | ## Configuration and Deployment Management
26 | * * **Enumerate Infrastructure and Application Admin Interfaces**
27 | * Enumerate Infrastructure and Application Admin Interfaces (OTG-CONFIG-005)
28 | * Test Network/Infrastructure Configuration (OTG-CONFIG-001)
29 | * * **Hidden Resources Discovery**
30 | * Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)
31 | * * **HTTP Security Headers**
32 | * Testing for Lack of HTTP Security Headers (EXTRA-TEST-002)
33 |
34 | ## Identity Management and Authentication
35 | * * **Secure Authentication Class**
36 | * [Test User Registration Process (OTG-IDENT-002)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Authentication-Class)
37 | * [Testing for Weak Lock Out Mechanism (OTG-AUTHN-003)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Authentication-Class)
38 | * [Testing for Bypassing Authentication Schema (OTG-AUTHN-004)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Authentication-Class)
39 | * [Test Remember Password Functionality (OTG-AUTHN-005)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Authentication-Class)
40 | * [Testing for Browser Cache Weakness (OTG-AUTHN-006)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Authentication-Class)
41 | * [Testing for Weak Security Question/Answer (OTG-AUTHN-008)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Authentication-Class)
42 | * [Testing for Weak Password Change or Reset Functionalities (OTG-AUTHN-009)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Authentication-Class)
43 | * [Testing for Weaker Authentication in Alternative Channel (OTG-AUTHN-010)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Authentication-Class)
44 | * [Testing for Weak or Unenforced Username Policy (OTG-IDENT-005)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Authentication-Class)
45 | * [Testing for Default Credentials (OTG-AUTHN-002)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Authentication-Class)
46 | * [Testing for Two Factor Authentication Bypass (EXTRA-TEST-012)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Authentication-Class)
47 | * * **Username Enumeration**
48 | * Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)
49 | * * **Testing for Recovering Sensitive Information**
50 | * Testing for Recovering Sensitive Information from Database (EXTRA-TEST-003)
51 | * * **Testing against Brute Force attack**
52 | * [Testing against Brute Force attack (EXTRA-TEST-004)](https://github.com/Voorivex/pentest-guide/tree/master/Brute-Force)
53 | * * **Password policy**
54 | * Testing for Weak password policy (OTG-AUTHN-007)
55 | * * **Testing for SSL over User Authentication**
56 | * Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)
57 |
58 | ## Authorization and Boundary Test
59 | * * **User Access Control**
60 | * Test Role Definitions (OTG-IDENT-001)
61 | * Test Account Provisioning Process (OTG-IDENT-003)
62 | * Testing for Bypassing Authorization Schema (OTG-AUTHZ-002)
63 | * [Testing for Privilege Escalation (OTG-AUTHZ-003)](https://github.com/Voorivex/pentest-guide/tree/master/Privilege-Escalation)
64 | * [Testing for HTTP Verb Tampering (OTG-INPVAL-003)](https://github.com/Voorivex/pentest-guide/tree/master/HTTP_Verb_Tampering)
65 | * [Testing for JSON Web Token Flaw (EXTRA-TEST-006)](https://github.com/Voorivex/pentest-guide/tree/master/JSON-Web-Token-Flaw)
66 | * [Test Cross Origin Resource Sharing (OTG-CLIENT-007)](https://github.com/Voorivex/pentest-guide/tree/master/Cross-Origin-Resource-Sharing)
67 | * * **File Inclusions**
68 | * [Testing Directory Traversal/File Include (OTG-AUTHZ-001)](https://github.com/Voorivex/pentest-guide/tree/master/Directory-Traversal-File-Include)
69 | * * **Execution after Redirect**
70 | * Execution after Redirect (EXTRA-TEST-005)
71 | * * **Cross Site Request Forgery**
72 | * [Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)](https://github.com/Voorivex/pentest-guide/tree/master/Cross-Site-Request-Forgery)
73 | * * **Secured File Upload**
74 | * [Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)](https://github.com/Voorivex/pentest-guide/tree/master/Secured-File-Upload)
75 | * [Test Upload of Malicious Files (OTG-BUSLOGIC-009)](https://github.com/Voorivex/pentest-guide/tree/master/Secured-File-Upload)
76 | * * **Insecure Direct Object References**
77 | * [Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://github.com/Voorivex/pentest-guide/tree/master/Insecure-Direct-Object-References)
78 | * * **Secured Captcha implementation**
79 | * Test for Secured Captcha Workflow (EXTRA-TEST-007)
80 |
81 | ## Cookie and Session Management
82 | * * **Testing for Cookies attributes**
83 | * [Testing for Cookies attributes (OTG-SESS-002)](https://github.com/Voorivex/pentest-guide/tree/master/Cookies-Attributes)
84 | * * **Secure Session Management**
85 | * Testing for Bypassing Session Management Schema (OTG-SESS-001)
86 | * Testing for Session Fixation (OTG-SESS-003)
87 | * Testing for Exposed Session Variables (OTG-SESS-004)
88 | * Testing for Logout functionality (OTG-SESS-006)
89 | * Test Session Timeout (OTG-SESS-007)
90 | * Testing for Session puzzling (OTG-SESS-008)
91 |
92 | ## Accessibility
93 | * * **Denial of Service**
94 | * Test for Denial of Service (EXTRA-TEST-008)
95 |
96 | ## Input/Output Validation
97 | * * **Cross Site Scripting**
98 | * [Testing for Reflected Cross Site Scripting (OTG-INPVAL-001)](https://github.com/Voorivex/pentest-guide/tree/master/Cross-Site-Scripting)
99 | * [Testing for Stored Cross Site Scripting (OTG-INPVAL-002)](https://github.com/Voorivex/pentest-guide/tree/master/Cross-Site-Scripting)
100 | * [Testing for DOM based Cross Site Scripting (OTG-CLIENT-001)](https://github.com/Voorivex/pentest-guide/tree/master/Cross-Site-Scripting)
101 | * [Testing for JavaScript Execution (OTG-CLIENT-002)](https://github.com/Voorivex/pentest-guide/tree/master/Cross-Site-Scripting)
102 | * [Testing for HTML Injection (OTG-CLIENT-003)](https://github.com/Voorivex/pentest-guide/tree/master/Cross-Site-Scripting)
103 | * [Testing for CSS Injection (OTG-CLIENT-005)](https://github.com/Voorivex/pentest-guide/tree/master/Cross-Site-Scripting)
104 | * [Testing for Client Side Resource Manipulation (OTG-CLIENT-006)](https://github.com/Voorivex/pentest-guide/tree/master/Cross-Site-Scripting)
105 | * [Testing for Clickjacking (OTG-CLIENT-009)](https://github.com/Voorivex/pentest-guide/tree/master/Cross-Site-Scripting)
106 | * * **SQL Injection**
107 | * [Testing for SQL Injection (OTG-INPVAL-005)](https://github.com/Voorivex/pentest-guide/tree/master/SQL-Injection)
108 | * Testing for Incubated Vulnerabilities (OTG-INPVAL-015)
109 | * * **NoSQL Injection**
110 | * Testing for XPath Injection (OTG-INPVAL-010)
111 | * Testing for XML Injection (OTG-INPVAL-008)
112 | * Testing for MongoDB Injection (EXTRA-TEST-011)
113 | * * **Server Side Code Injection**
114 | * Testing for LDAP Injection (OTG-INPVAL-006)
115 | * Testing for ORM Injection (OTG-INPVAL-007)
116 | * Testing for SSI Injection (OTG-INPVAL-009)
117 | * IMAP/SMTP Injection (OTG-INPVAL-011)
118 | * [Testing for Code Injection (OTG-INPVAL-012)](https://github.com/Voorivex/pentest-guide/tree/master/Command-Injection)
119 | * [Testing for Server Side Template Injection (EXTRA-TEST-013)](https://github.com/Voorivex/pentest-guide/tree/master/Server-Side-Template-Injection)
120 | * * **Remote Command Execution**
121 | * [Testing for Command Injection (OTG-INPVAL-013)](https://github.com/Voorivex/pentest-guide/tree/master/Command-Injection)
122 | * * **Buffer Overflow**
123 | * Testing for Buffer Overflow (OTG-INPVAL-014)
124 | * * **XML External Entity (XXE)**
125 | * [Testing for XML External Entity (XXE) (EXTRA-TEST-009)](https://github.com/Voorivex/pentest-guide/tree/master/XML-External-Entity)
126 | * * **Server Side Request Forgery (SSRF)**
127 | * [Testing for Server Side Request Forgery (SSRF) (EXTRA-TEST-010)](https://github.com/Voorivex/pentest-guide/tree/master/Server-Side-Request-Forgery)
128 | * * **Open Redirect**
129 | * [Testing for Client Side URL Redirect (OTG-CLIENT-004)](https://github.com/Voorivex/pentest-guide/tree/master/Open-Redirect)
130 | * * **HTTP Splitting/Smuggling**
131 | * [Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016)](https://github.com/Voorivex/pentest-guide/tree/master/HTTP-Smuggling)
132 | * * **Race Condition**
133 | * [Testing for Race Condition (EXTRA-TEST-15)](https://github.com/Voorivex/pentest-guide/tree/master/Race-Condition)
134 |
135 | ## Testing for weak Cryptography
136 | * * **Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection**
137 | * Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001)
138 | * * **Testing for Sensitive Information Sent via Unencrypted Channels**
139 | * Testing for Sensitive Information Sent via Unencrypted Channels (OTG-CRYPST-003)
140 | * Testing for Padding Oracle (OTG-CRYPST-002)
141 |
142 | ## Workflow/Dataflow Tests
143 | * * **Business Logic Testing**
144 | * [Test Business Logic Data Validation (OTG-BUSLOGIC-001)](https://github.com/Voorivex/pentest-guide/tree/master/Business-Logic)
145 | * [Test Ability to Forge Requests (OTG-BUSLOGIC-002)](https://github.com/Voorivex/pentest-guide/tree/master/Business-Logic)
146 | * [Test Integrity Checks (OTG-BUSLOGIC-003)](https://github.com/Voorivex/pentest-guide/tree/master/Business-Logic)
147 | * [Test for Process Timing (OTG-BUSLOGIC-004)](https://github.com/Voorivex/pentest-guide/tree/master/Business-Logic)
148 | * [Test Number of Times a Function Can be Used Limits (OTG-BUSLOGIC-005)](https://github.com/Voorivex/pentest-guide/tree/master/Business-Logic)
149 | * [Test for the Circumvention of Work Flows (OTG-BUSLOGIC-006)](https://github.com/Voorivex/pentest-guide/tree/master/Business-Logic)
150 | * [Test Defenses Against Application Mis-use (OTG-BUSLOGIC-007)](https://github.com/Voorivex/pentest-guide/tree/master/Business-Logic)
151 |
--------------------------------------------------------------------------------
/Race-Condition/README.md:
--------------------------------------------------------------------------------
1 | # Race Condition
2 | * [Business Logic Vulnerabilities](https://portswigger.net/web-security/logic-flaws/examples)
3 |
4 | ## References
5 | * [Race Condition Bug In Web App: A Use Case](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
6 | * [Moving Beyond The OWASP Top 10, Part 1: Race Conditions](https://resources.securitycompass.com/blog/moving-beyond-the-owasp-top-10-part-1-race-conditions-2)
7 |
8 | ## Examples (Race Condition)
9 | * [[2020] - Race Condition when following a user](https://hackerone.com/reports/927384)
10 | * [[2020] - Hacking Banks With Race Conditions](https://medium.com/swlh/hacking-banks-with-race-conditions-2f8d55b45a4b)
11 | * [[2020] - Race Condition vulnerability found in bug-bounty program](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43)
12 | * [[2018] - Race Condition Bug In Web App: A Use Case](https://medium.com/@ciph3r7r0ll/race-condition-bug-in-web-app-a-use-case-21fd4df71f0e)
13 | * [[2017] - How to check Race Conditions in Web Applications](https://medium.com/@valeriyshevchenko/how-to-check-race-conditions-in-web-applications-338f73937992)
14 |
--------------------------------------------------------------------------------
/SQL-Injection/README.md:
--------------------------------------------------------------------------------
1 | # SQL Injection
2 | [What is SQL Injection (SQLi) and How to Prevent It - Acunetix](https://www.acunetix.com/websitesecurity/sql-injection/)
3 |
4 | ## References
5 | * [What is SQL injection (SQLi)? - PortSwigger](https://portswigger.net/web-security/sql-injection)
6 |
7 | ## Cheat Sheets
8 | * [Netsparker Sqli CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
9 | * [NetSPI SQL Injection Wiki! Really Good](https://sqlwiki.netspi.com/)
10 | * [websec.cs handy SQLi CheatSheet](https://websec.ca/kb/sql_injection)
11 |
12 | ## Tools / Payloads
13 | * [sqlmap](https://github.com/sqlmapproject/sqlmap)
14 | * [Handy Payloads](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
15 |
16 | ## Examples
17 | * [[2020] - SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution](https://hackerone.com/reports/816254)
18 | * [[2020] - Blind SQL Injection - InnoGames ](https://hackerone.com/reports/758654)
19 | * [[2020] - SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database](https://hackerone.com/reports/531051)
20 | * [[2020] - [windows10.hi-tech.mail.ru] Blind SQL Injection](https://hackerone.com/reports/786044)
21 | * [[2019] - H1-4420: From Quiz to Admin - Chaining Two 0-Days to Compromise An Uber Wordpress](https://www.rcesecurity.com/2019/09/H1-4420-From-Quiz-to-Admin-Chaining-Two-0-Days-to-Compromise-an-Uber-Wordpress/)
22 | * [[2019] - Pwning child company to get access to ParentCompany's Slack Team](https://blog.parthmalhotra.com/pwning-child-company-to-get-access-to-parentcompanys-slack-team/)
23 | * [[2019] - EXPLOITING A TRICKY BLIND SQL INJECTION INSIDE LIMIT CLAUSE](https://www.noob.ninja/2019/07/exploiting-tricky-blind-sql-injection.html)
24 | * [[2019] - SQL Injection in Forget Password Function](https://medium.com/@kgaber99/sql-injection-in-forget-password-function-3c945512e3cb)
25 | * [[2019] - SQL Injection Bug Bounty POC!](https://medium.com/@ariffadhlullah2310/sql-injection-bug-bounty-110e92e71ec3)
26 | * [[2019] - Blind (time-based) SQLi - Bug Bounty](https://jspin.re/fileupload-blind-sqli/)
27 | * [[2019] - SQl Injection](https://medium.com/@saadahmedx/sql-injection-c87a390afdd3)
28 | * [[2019] - SQL injection through User-Agent](https://medium.com/@frostnull/sql-injection-through-user-agent-44a1150f6888)
29 | * [[2019] - Comma is forbidden! No worries!! Inject in insert/update queries without it](https://blog.redforce.io/sql-injection-in-insert-update-query-without-comma/)
30 | * [[2019] - Hacking a Crypto Debit Card Service](https://medium.com/@mahitman1/hacking-a-crypto-debit-card-service-730f287aaee7)
31 |
--------------------------------------------------------------------------------
/Secured-File-Upload/README.md:
--------------------------------------------------------------------------------
1 | # Cross-Site Scripting
2 | [https://wiki.owasp.org/index.php/Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008)](https://wiki.owasp.org/index.php/Test_Upload_of_Unexpected_File_Types_(OTG-BUSLOGIC-008))
3 | [https://wiki.owasp.org/index.php/Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009)](https://wiki.owasp.org/index.php/Test_Upload_of_Malicious_Files_(OTG-BUSLOGIC-009))
4 |
5 | ## References
6 | * [Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
7 | * [[WEB] Bypass file upload filter with .htaccess](https://thibaudrobin.github.io/articles/bypass-filter-upload/)
8 |
9 | ## Examples
10 | * [[2020] - Unrestricted File Upload Leads to XSS & Potential RCE](https://hackerone.com/reports/900179)
11 | * [[2019] - Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image](https://hackerone.com/reports/748903)
--------------------------------------------------------------------------------
/Server-Side-Request-Forgery/README.md:
--------------------------------------------------------------------------------
1 | # Server Side Request Forgery
2 |
3 | ## References
4 | * [A New Era Of SSRF - Blackhat](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf)
5 | * [HOW TO: SERVER-SIDE REQUEST FORGERY (SSRF) - HackerOne](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
6 |
7 | * [[2019] - SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-1-29d034c27978)
8 | * [[2019] - SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-2](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-2-a085ec4332c0)
9 | * [[2019] - SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-3](https://medium.com/@madrobot/ssrf-server-side-request-forgery-types-and-ways-to-exploit-it-part-3-b0f5997e3739)
10 | ## Tools / Payloads
11 | * [PayloadsAllTheThings - SSRF Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SSRF%20injection)
12 | * [SSRF map](https://github.com/swisskyrepo/SSRFmap)
13 | * [OWASP Server-Side Request Forgery Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)
14 |
15 | ## Examples
16 |
17 | * [[2020] - 31k$ SSRF in Google Cloud Monitoring led to metadata exposure](https://nechudav.blogspot.com/2020/11/31k-ssrf-in-google-cloud-monitoring.html)
18 | * [[2020] - Half-Blind SSRF found in kube/cloud-controller-manager can be upgraded to complete SSRF (fully crafted HTTP requests) in vendor managed k8s service](https://hackerone.com/reports/776017)
19 | * [[2020] - Full Read SSRF on Gitlab's Internal Grafana](https://hackerone.com/reports/878779)
20 | * [[2020] - Vulnerabilities in the Openfire Admin Console](https://swarm.ptsecurity.com/openfire-admin-console/)
21 | * [[2020] - How I made $31500 by submitting a bug to Facebook](https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204)
22 | * [[2020] - My expense report resulted in a server-side request forgery (ssrf) on LYFT](https://nahamsec.com/posts/my-expense-report-resulted-in-a-server-side-request-forgery-ssrf-on-lyft)
23 | * [[2020] - [gitlab] SSRF into Shared Runner, by replacing dockerd with malicious server in Executor](https://hackerone.com/reports/809248)
24 | * [[2020] - Blind HTTP GET SSRF via website icon fetch (bypass of pull#812)](https://hackerone.com/reports/925527)
25 | * [[2020] - Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint](https://hackerone.com/reports/895696)
26 | * [[2020] - Story of a 2.5k Bounty — SSRF on Zimbra Led to Dump All Credentials in Clear Text](https://medium.com/bugbountywriteup/story-of-a-2-5k-bounty-ssrf-on-zimbra-led-to-dump-all-credentials-in-clear-text-6fe826005ccc)
27 | * [[2020] - Blind SSRF on https://labs.data.gov/dashboard/Campaign/json_status/ Endpoint](https://hackerone.com/reports/895696)
28 | * [[2020] - Gitlab - Server Side Request Forgery mitigation bypass](https://hackerone.com/reports/632101)
29 | * [[2019] - SSRF in Azure DevOps Services](https://medium.com/@hackyzh/ssrf-in-azure-devops-services-88e7fdd58109)
30 | * [[2019] - Semrush - SSRF In Get Video Contents](https://hackerone.com/reports/643622)
31 | * [[2019] - SSRF in VCARD photo upload functionality](https://hackerone.com/reports/296045)
32 | * [[2019] - SSRF - Blacklist bypass for mail account addition](https://hackerone.com/reports/303378)
33 | * [[2019] - SSRF - RSS feed, blacklist bypass (301 re-direct)](https://hackerone.com/reports/299135)
34 | * [[2019] - SSRF - RSS feed, blacklist bypass (IP Formatting)](https://hackerone.com/reports/299130)
35 | * [[2019] - Slack - Bypass of the SSRF protection in Event Subscriptions parameter.](https://hackerone.com/reports/386292)
36 | * [[2019] - Slack - SSRF in api.slack.com, using slash commands and bypassing the protections.](https://hackerone.com/reports/381129)
37 | * [[2019] - Omise - SSRF in webhooks leads to AWS private keys disclosure](https://hackerone.com/reports/508459)
38 | * [[2019] - Unauthenticated blind SSRF in OAuth Jira authorization controller](https://hackerone.com/reports/398799)
39 | * [[2019] - SSRF in hatchful.shopify.com](https://hackerone.com/reports/409701)
40 | * [[2019] - SSRF in rompager-check](https://hackerone.com/reports/374818)
41 | * [[2019] - Gitlab - SSRF in CI after first run](https://hackerone.com/reports/369451)
42 | * [[2019] - Exploiting SSRF in AWS Elastic Beanstalk](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/)
43 | * [[2018] - Into the Borg – SSRF inside Google production network](https://opnsec.com/2018/07/into-the-borg-ssrf-inside-google-production-network/)
44 | * [[2018] - Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html)
45 | * [[2018] - Rockstar Games - LFI and SSRF via XXE in emblem editor](https://hackerone.com/reports/347139)
46 | * [[2018] - Just another tale of severe bugs on a private program.](https://medium.com/@sivakrishnasamireddi/just-another-tale-of-severe-bugs-on-a-private-program-405870b03532)
47 | * [[2018] - Adminer Script Results to Pwning Server?, Private Bug Bounty Program](https://medium.com/bugbountywriteup/adminer-script-results-to-pwning-server-private-bug-bounty-program-fe6d8a43fe6f)
48 | * [[2018] - From blind XXE to root-level file read access](https://honoki.net/2018/12/12/from-blind-xxe-to-root-level-file-read-access/)
49 | * [[2018] - SSRF on duckduckgo.com/iu/](https://hackerone.com/reports/398641)
50 | * [[2018] - SSRF in proxy.duckduckgo.com](https://hackerone.com/reports/358119)
51 | * [[2018] - DNS pinning SSRF](https://hackerone.com/reports/289187)
52 | * [[2018] - Remote Command Execution in a internal server to get the flag file](https://hackerone.com/reports/415682)
53 | * [[2018] - SSRF in Cloudflare](https://hackerone.com/reports/253558)
54 | * [[2018] - Sending Emails from DNSDumpster - Server-Side Request Forgery to Internal SMTP Access](https://hackerone.com/reports/392859)
55 | * [[2018] - concrete5 - SSRF thru File Replace](https://hackerone.com/reports/243865)
56 | * [[2018] - Blind SSRF at https://chaturbate.com/notifications/update_push/](https://hackerone.com/reports/411865)
57 | * [[2018] - SSRF vulnerability in gitlab.com webhook](https://hackerone.com/reports/301924)
58 | * [[2018] - Blind SSRF on errors.hackerone.net due to Sentry misconfiguration](https://hackerone.com/reports/374737)
59 | * [[2018] - Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteuppiercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
60 | * [[2018] - Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
61 | * [[2018] - SSRF in Exchange leads to ROOT access in all instances - Shopify](https://hackerone.com/reports/341876)
62 | * [[2018] - SSRF in Jira - Escalation of an SSRF to Local File Read!](https://medium.com/@zain.sabahat/exploiting-ssrf-like-a-boss-c090dc63d326)
63 | * [[2018] - SSRF on *shopifycloud.com](https://hackerone.com/reports/382612)
64 | * [[2017] - From SSRF to Local File Disclosure](https://medium.com/@tungpun/from-ssrf-to-local-file-disclosure-58962cdc589f)
65 | * [[2017] - Discourse - SSRF in upload IMG through URL](https://hackerone.com/reports/228377)
66 | * [[2017] - $1.000 SSRF in Slack](https://medium.com/@elberandre/1-000-ssrf-in-slack-7737935d3884)
67 | * [[2017] - A Nifty SSRF Bug Bounty Write Up](https://hack-ed.net/2017/11/07/a-nifty-ssrf-bug-bounty-write-up/)
68 | * [[2017] - SVG Server Side Request Forgery (SSRF)](https://hackerone.com/reports/223203)
69 | * [[2017] - Rockstar Games - Blind SSRF in emblem editor (2)](https://hackerone.com/reports/265050)
70 | * [[2016] - SSRF and local file read in video to gif converter](https://hackerone.com/reports/115857)
71 | * [[2016] - SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
72 | * [[2015] - Phabricator - SSRF vulnerability (access to metadata server on EC2 and OpenStack)](https://hackerone.com/reports/53088)
73 | * [[2015] - Dropbox - SSRF vulnerablity in app webhooks](https://hackerone.com/reports/56828)
74 |
--------------------------------------------------------------------------------
/Server-Side-Template-Injection/README.md:
--------------------------------------------------------------------------------
1 | # Server Side Tempplate Injection
2 | [Server-Side Template Injection Introduction & Example](https://www.netsparker.com/blog/web-security/server-side-template-injection/)
3 |
4 | ## References
5 | * [Server-Side Template Injection - PortSwigger](https://portswigger.net/blog/server-side-template-injection)
6 |
7 | ## Tools / Payloads
8 | * [PayloadsAllTheThings - SSRF Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20injections)
9 | * [Server-Side Template Injection and Code Injection Detection and Exploitation Tool](https://github.com/epinna/tplmap)
10 |
11 | ## Examples
12 | * [$10,000 bounty in Shopify - Server Side Template Injection in Return Magic email templates?](https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
13 | * [RCE in Hubspot with EL injection in HubL](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html)
14 | * [uber.com may RCE by Flask Jinja2 Template Injection](https://hackerone.com/reports/125980)
15 | * [YAHOO! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)
16 | * [Server side template injection via Smarty template ](https://hackerone.com/reports/164224)
17 | * [Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3 | CVE-2018-14716](http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic/)
18 | * [Frappé Technologies ERPNext Server Side Template Injection](https://medium.com/bugbountywriteup/frapp%C3%A9-technologies-erpnext-server-side-template-injection-74e1c95ec872)
19 |
--------------------------------------------------------------------------------
/XML-External-Entity/README.md:
--------------------------------------------------------------------------------
1 | # External XML Entity
2 |
3 | ## References
4 | * [Advice From a Bug Hunter XXE - Bugcrowd](https://www.bugcrowd.com/advice-from-a-bug-hunter-xxe/)
5 | * [XXE that can Bypass WAF Protection](https://lab.wallarm.com/xxe-that-can-bypass-waf-protection-98f679452ce0)
6 | ## Tools / Payloads
7 | * [PayloadsAllTheThings - SSRF Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection)
8 |
9 | ## Tools / Payloads
10 | [XXE Payloads](https://gist.github.com/honoki/d7035c3ccca1698ec7b541c77b9410cf)
11 |
12 | ## Examples
13 | * [[2020] - XXE through injection of a payload in the XMP metadata of a JPEG file](https://hackerone.com/reports/836877)
14 | * [[2019] - XXE at ecjobs.starbucks.com.cn/retail/hxpublic_v6/hxdynamicpage6.aspx](https://hackerone.com/reports/500515)
15 | * [[2018] - XXE in Site Audit function exposing file and directory contents](https://hackerone.com/reports/312543)
16 | * [[2018] - Gaining Filesystem Access via Blind OOB XXE](https://hawkinsecurity.com/2018/03/24/gaining-filesystem-access-via-blind-oob-xxe/)
17 | * [[2018] - Blind XXE via Powerpoint files](https://hackerone.com/reports/334488)
18 | * [[2018] - Phone Call to XXE via Interactive Voice Response](https://hackerone.com/reports/395296)
19 | * [[2018] - LFI and SSRF via XXE in Emblem Editor in Rockstar Games](https://hackerone.com/reports/347139)
20 | * [[2018] - Blind XXE in Autodiscover Parser](https://hackerone.com/reports/315837)
21 | * [[2018] - From blind XXE to root-level file read access](https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/)
22 | * [[2018] - Out-of-band XXE in PrizmDoc (CVE-2018–15805)](https://www.secmasters.com/blog/out-of-band-xxe-in-prizmdoc-cve-2018-15805)
23 | * [[2018] - Blind XML External Entities Out-Of-Band Channel Vulnerability : PayPal Case Study](https://r00thunt.com/2018/10/05/blind-xml-external-entities-out-of-band-channel-vulnerability-paypal-case-study/)
24 | * [[2017] - XXE on sms-be-vip.twitter.com in SXMP Processor](https://hackerone.com/reports/248668)
25 | * [[2017] - XXE in Uber to read local files](https://httpsonly.blogspot.com/2017/01/0day-writeup-xxe-in-ubercom.html)
26 | * [[2017] - GSA File Server - ASIS CTF Finals 2017](https://github.com/occupe/Writeups-CTF/blob/master/ASIS-CTF/Gsa%20File%20server/Readme.md)
27 | * [[2016] - http://nerdint.blogspot.com/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html](http://nerdint.blogspot.com/2016/08/blind-oob-xxe-at-uber-26-domains-hacked.html)
28 | * [[2014] - Detecting and Exploiting XXE in SAML](https://web-in-security.blogspot.com/2014/11/detecting-and-exploiting-xxe-in-saml.html)
29 | * [[2014] - How we got read access on Google’s production servers](https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/)
--------------------------------------------------------------------------------