├── .github
    └── FUNDING.yml
├── 2006.md
├── 2007.md
├── 2008.md
├── 2009.md
├── 2010.md
├── 2011.md
├── 2012.md
├── 2013.md
├── 2014.md
├── 2015.md
├── 2016-17.md
├── 2018.md
├── 2019.md
├── 2020.md
└── README.md


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
 1 | # These are supported funding model platforms
 2 | 
 3 | github: irsdl # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
 4 | patreon: # Replace with a single Patreon username
 5 | open_collective: # Replace with a single Open Collective username
 6 | ko_fi: # Replace with a single Ko-fi username
 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
 9 | liberapay: # Replace with a single Liberapay username
10 | issuehunt: # Replace with a single IssueHunt username
11 | otechie: # Replace with a single Otechie username
12 | lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
13 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
14 | 


--------------------------------------------------------------------------------
/2006.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2006
 2 | 
 3 | [The Attack of the TINY URLs](https://www.gnucitizen.org/blog/the-attack-of-the-tiny-urls/)\
 4 | [Backdooring MP3 Files](https://www.gnucitizen.org/blog/backdooring-mp3-files/)\
 5 | [Backdooring QuickTime Movies](https://www.gnucitizen.org/blog/backdooring-quicktime-movies/)\
 6 | [CSS history hacking with evil marketing](http://www.cgisecurity.com/2006/10/02)\
 7 | [I know where you've been](https://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html)\
 8 | [Stealing Search Engine Queries with JavaScript](http://www.spidynamics.com/spilabs/education/articles/JS-search.html)\
 9 | [Hacking RSS Feeds](http://www.cgisecurity.com/papers/HackingFeeds.pdf)\
10 | [MX Injection : Capturing and Exploiting Hidden Mail Servers](http://www.webappsec.org/projects/articles/121106.shtml)\
11 | [Blind web server fingerprinting](https://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf)\
12 | [JavaScript Port Scanning](https://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf)\
13 | [CSRF with MS Word](http://michaeldaw.org/md-hacks/csrf-with-msword/)\
14 | [Backdooring PDF Files](http://michaeldaw.org/md-hacks/backdooring-pdf-files/)\
15 | [Exponential XSS Attacks](http://ha.ckers.org/blog/20061211/exponential-xss-attacks/)\
16 | [Malformed URL in Image Tag Fingerprints Internet Explorer](http://ha.ckers.org/blog/20061206/malformed-url-in-image-tag-fingerprints-internet-explorer/)\
17 | [JavaScript Portscanning and bypassing HTTP Auth](http://blog.php-security.org/archives/54-JavaScriptHTML-Portscanning-and-HTTP-Auth.html)\
18 | [Bruteforcing HTTP Auth in Firefox with JavaScript](http://blog.php-security.org/archives/56-Bruteforcing-HTTP-Auth-in-Firefox-with-JavaScript.html)\
19 | [Bypassing Mozilla Port Blocking](https://jeremiahgrossman.blogspot.com/2006/11/bypassing-mozilla-port-blocking.html)\
20 | [How to defeat digg.com](https://4diggers.blogspot.com/)\
21 | [A story that diggs itself](http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/)\
22 | [Expect Header Injection Via Flash](http://ha.ckers.org/blog/20060731/expect-header-injection-via-flash/)\
23 | [Forging HTTP request headers with Flash](http://www.securityfocus.com/archive/1/441014/30/0/threaded)\
24 | [Cross Domain Leakage With Image Size](http://ha.ckers.org/blog/20060728/cross-domain-leakage-with-image-size/)\
25 | [Enumerating Through User Accounts](http://ha.ckers.org/blog/20061118/enumerating-through-user-accounts/)\
26 | [Widespread XSS for Google Search Appliance](http://sla.ckers.org/forum/read.php?3,3109)\
27 | [Detecting States of Authentication With Protected Images](http://ha.ckers.org/blog/20061108/detecting-states-of-authentication-with-protected-images/)\
28 | [XSS Fragmentation Attacks](http://sla.ckers.org/forum/read.php?13,2033)\
29 | [Poking new holes with Flash Crossdomain Policy Files](http://www.hardened-php.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html)\
30 | [Google Indexes XSS](http://ha.ckers.org/blog/20060928/google-indexes-xss/)\
31 | [XML Intranet Port Scanning](http://www.sift.com.au/36/172/xml-port-scanning-bypassing-restrictive-perimeter-firewalls.htm)\
32 | [IMAP Vulnerable to XSS](http://www.ngssoftware.com/research/papers/InterProtocolCommunication.pdf)\
33 | [Detecting Privoxy Users and Circumventing It](http://ha.ckers.org/blog/20060911/detecting-privoxy-users-and-circumventing-it/)\
34 | [Using CSS to De-Anonymize](http://ha.ckers.org/blog/20060911/using-css-to-de-anonymize/)\
35 | [Response Splitting Filter Evasion](http://ha.ckers.org/blog/20060827/response-splitting-filter-evasion/)\
36 | [CSS History Stealing Acts As Cookie](http://ha.ckers.org/blog/20060823/css-history-stealing-acts-as-cookie/)\
37 | [Detecting FireFox Extentions](http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/)\
38 | [Stealing User Information Via Automatic Form Filling](http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/)\
39 | [Circumventing DNS Pinning for XSS](http://ha.ckers.org/blog/20060815/circumventing-dns-pinning-for-xss/)\
40 | [Netflix.com XSRF vuln](http://www.webappsec.org/lists/websecurity/archive/2006-10/msg00063.html)\
41 | [Browser Port Scanning without JavaScript](https://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html)\
42 | [Widespread XSS for Google Search Appliance](http://sla.ckers.org/forum/read.php?3,3109,3124)\
43 | [Bypassing Filters With Encoding](http://sla.ckers.org/forum/read.php?2,3153,3153)\
44 | [Variable Width Encoding](http://ha.ckers.org/blog/20060817/variable-width-encoding/)\
45 | [Network Scanning with HTTP without JavaScript](http://ilia.ws/archives/145-Network-Scanning-with-HTTP-without-JavaScript.html)\
46 | [AT&T Hack Highlights Web Site Vulnerabilities](http://www.informationweek.com/news/showArticle.jhtml?articleID=192500500&subSection=Breaking+News)\
47 | [How to get linked from Slashdot](https://jeremiahgrossman.blogspot.com/2006/09/how-to-get-linked-from-slashdot.html)\
48 | [F5 and Acunetix XSS disclosure](http://www.darkreading.com/document.asp?doc_id=104313&f_src=darkreading_section_296)\
49 | [Anti-DNS Pinning](http://shampoo.antville.org/stories/1451301/) and [Circumventing Anti-Anti DNS pinning](http://ha.ckers.org/blog/20060908/dns-pinning-just-got-worse/)\
50 | [Google plugs phishing hole](https://blogs.securiteam.com/index.php/archives/604)\
51 | [Nikon magazine hit with security breach](http://news.com.com/Nikon+magazine+hit+with+security+breach/2100-1029_3-6116105.html?part=rss&tag=6116105&subj=news)\
52 | [Governator Hack](https://www.techdirt.com/articles/20060911/193625.shtml)\
53 | [Metaverse breached: Second Life customer database hacked](http://www.techcrunch.com/2006/09/08/metaverse-breached-second-life-customer-database-hacked/)\
54 | [HostGator: cPanel Security Hole Exploited in Mass Hack](http://news.netcraft.com/archives/2006/09/23/hostgator_cpanel_security_hole_exploited_in_mass_hack.html)\
55 | [I know what you've got (Firefox Extensions)](https://jeremiahgrossman.blogspot.com/2006/08/i-know-what-youve-got-firefox.html)\
56 | [ABC News (AU) XSS linking the reporter to Al Qaeda](https://jeremiahgrossman.blogspot.com/2006/01/my-tv-interview-with-abc-news-au.html)\
57 | [Account Hijackings Force LiveJournal Changes](http://blog.washingtonpost.com/securityfix/2006/01/account_hijackings_force_livej.html)\
58 | [Xanga Hit By Script Worm](https://blogs.securiteam.com/index.php/archives/166)\
59 | [Advanced Web Attack Techniques using GMail](http://beta.blogger.com/Advanced%20Web%20Attack%20Techniques%20using%20GMail)\
60 | [PayPal Security Flaw allows Identity Theft](http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html)\
61 | [Internet Explorer 7 "mhtml:" Redirection Information Disclosure](https://secunia.com/advisories/22477/)\
62 | [Bypassing of web filters by using ASCII](http://www.securityfocus.com/archive/1/437948/30/0/threaded)\
63 | [Selecting Encoding Methods For XSS Filter Evasion](http://ha.ckers.org/blog/20061103/selecting-encoding-methods-for-xss-filter-evasion/)\
64 | [Adultspace XSS Worm](http://ha.ckers.org/blog/20061214/adultspace-xss-worm/)\
65 | [Anonymizing RFI Attacks Through Google](https://blogs.securiteam.com/index.php/archives/746)\
66 | [Google Hacks On Your Behalf](http://ha.ckers.org/blog/20061123/google-hacks-on-your-behalf/)\
67 | [Google Dorks Strike Again](http://ha.ckers.org/blog/20061005/google-dorks-strike-again/)
68 | 


--------------------------------------------------------------------------------
/2007.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2007
 2 | 
 3 | [Cross-Site Printing (Printer Spamming)](http://aaron.weaver2.googlepages.com/CrossSitePrinting.pdf)[](https://docs.google.com/View?docid=ajfxntc4dmsq_14dt57ssdw&pli=1)\
 4 | [Stealing Pictures with Picasa](http://xs-sniper.com/blog/2007/09/24/stealing-pictures-with-picasa/)\
 5 | [HScan Redux](https://www.gnucitizen.org/projects/hscan-redux/)\
 6 | [ISO-8895-1 Vulnerable in Firefox to Null Injection](http://ha.ckers.org/blog/20070210/iso-8895-1-vulnerable-in-firefox-to-null-injection/)\
 7 | [MITM attack to overwrite addons in Firefox](http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html)\
 8 | [Microsoft ASP.NET Request Validation Bypass Vulnerability](http://www.procheckup.com/Vulner_PR0703.php) [(POC)](http://michaeldaw.org/news/news-030407/)\
 9 | [Non-Alpha-Non-Digit 3](http://ha.ckers.org/blog/20070209/non-alpha-non-digit-3/)\
10 | [Steal History without JavaScript](https://jeremiahgrossman.blogspot.com/2007/03/i-still-know-where-youve-been-without.html)\
11 | [Pure Java™, Pure Evil™ Popups](https://hackademix.net/2007/08/07/java-evil-popups/)\
12 | [Google Adsense CSRF hole](http://www.thespanner.co.uk/2007/09/27/google-adsense-csrf-hole/)\
13 | [There's an OAK TREE in my blog!?!?!](http://xs-sniper.com/blog/2008/01/08/theres-an-oak-tree-in-my-blog/)\
14 | [BK for Mayor of Oak Tree View](http://xs-sniper.com/blog/2007/09/20/bk-for-mayor-of-oak-tree-view/)\
15 | [Google Docs puts Google Users at Risk](http://xs-sniper.com/blog/2007/09/26/google-docs-puts-google-users-at-risk/)\
16 | [All Your Google Docs are Belong To US...](http://xs-sniper.com/blog/2007/09/28/all-your-google-docs-are-belong-to-us/)\
17 | [Java Applets and DNS Rebinding](http://xs-sniper.com/blog/2007/11/04/java-applets-and-dns-rebinding/)\
18 | [Scanning internal Lan with PHP remote file opening.](http://www.wisec.it/sectou.php?id=46d592056b008)\
19 | [Firefox File Handling Woes](http://xs-sniper.com/blog/2007/09/01/firefox-file-handling-woes/)\
20 | [Firefoxurl URI Handler Flaw](http://xs-sniper.com/blog/2007/07/17/firefoxurl-uri-handler-flaw/)\
21 | [Bugs in the Browser: Firefox's DATA URL Scheme Vulnerability](https://www.gnucitizen.org/blog/bugs-in-the-browser-firefoxs-data-url-scheme-vulnerability)\
22 | [Multiviews Apache, Accept Requests and free listing](http://www.wisec.it/sectou.php?id=4698ebdc59d15)\
23 | [Optimizing the number of requests in blind SQL injection](http://www.wisec.it/sectou.php?id=4706611fe9210)\
24 | [Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)](http://www.wisec.it/sectou.php?id=472f952d79293)\
25 | [Port Scan without JavaScript](https://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html)\
26 | [Favorites Gone Wild](http://blog.watchfire.com/wfblog/2007/10/favorites-gone.html)\
27 | [Cross-Browser Proxy Unmasking](https://hackademix.net/2007/09/26/cross-browser-proxy-unmasking/)\
28 | [Spoofing Firefox protected objects](http://www.thespanner.co.uk/2007/11/14/spoofing-firefox-protected-objects/)\
29 | [Injecting the script tag into XML](http://www.thespanner.co.uk/2007/10/09/injecting-the-script-tag-into-xml/)\
30 | [Login Detection without JavaScript](https://jeremiahgrossman.blogspot.com/2007/05/intranet-hacking-take-2-for-bh-usa-2007.html)\
31 | [Anti-DNS Pinning ( DNS Rebinding ) : Online Demonstration](http://www.jumperz.net/index.php?i=2&a=1&b=7)\
32 | [Username Enumeration Timing Attacks (Sensepost)](https://www.sensepost.com/blog/1303.html)\
33 | [Google GMail E-mail Hijack Technique](https://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/)\
34 | [Recursive Request DoS](http://ha.ckers.org/blog/20070901/recursive-request-dos/)\
35 | [Exaggerating Timing Attack Results Via GET Flooding](http://ha.ckers.org/blog/20071209/exaggerating-timing-attack-results-via-get-flooding/)\
36 | [Initiating Probes Against Servers Via Other Servers](http://ha.ckers.org/blog/20071209/initiatin-probes-against-servers-via-other-servers/)\
37 | [Effects of DNS Rebinding On IE's Trust Zones](http://ha.ckers.org/blog/20071112/effects-of-dns-rebinding-on-ies-trust-zones/)\
38 | [Paper on Hacking Intranets Using Websites (Not Web Browsers)](http://ha.ckers.org/blog/20070827/paper-on-hacking-intranets-using-websites-not-web-browsers/)\
39 | [More Port Scanning - This Time in Flash](http://scan.flashsec.org/)\
40 | [HTTP Response Splitting and Data: URI scheme in Firefox](http://www.wisec.it/sectou.php?id=472a5b8d1a4cd)\
41 | [Res:// Protocol Local File Enumeration](http://xs-sniper.com/blog/2007/07/20/more-uri-stuff-ies-resouce-uri/)\
42 | [Res Timing Attack](http://ha.ckers.org/blog/20070725/res-timing-attack/)\
43 | [IE6.0 Protocol Guessing](http://ha.ckers.org/blog/20070702/ie60-protocol-guessing/)\
44 | [IE 7 and Firefox Browsers Digest Authentication Request Splitting](http://www.wisec.it/vulns.php?id=11)\
45 | [Hacking Intranets Via Brute Force](http://ha.ckers.org/blog/20061228/hacking-intranets-via-brute-force/)\
46 | [Hiding JS in Valid Images](http://ha.ckers.org/blog/20070623/hiding-js-in-valid-images/)\
47 | [Internet Archiver Port Scanner](http://ha.ckers.org/blog/20070323/internet-archiver-port-scanner/)\
48 | [Noisy Decloaking Methods](http://ha.ckers.org/blog/20070421/noisy-decloaking-methods/)\
49 | [Code Execution Through Filenames in Uploads](http://ha.ckers.org/blog/20070620/code-execution-through-filenames-in-uploads/)\
50 | [Cross Domain Basic Auth Phishing Tactics](http://ha.ckers.org/blog/20070608/cross-domain-basic-auth-phishing-tactics/)\
51 | [Additional Image Bypass on Windows](http://ha.ckers.org/blog/20070606/additional-image-bypass-on-windows/)\
52 | [Detecting users via Authenticated Redirects](https://kuza55.blogspot.com/2007/01/more-user-login-detection-via.html)\
53 | [Passing Malicious PHP Through getimagesize()](http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/)\
54 | [Turn Any Page Into A Greasemonkey Popup](http://ha.ckers.org/blog/20070506/turn-any-page-into-a-greasemonkey-popup/)\
55 | [Enumerate Windows Users In JS](http://ha.ckers.org/blog/20070518/enumerate-windows-users-in-js/)\
56 | [Anti-DNS Pinning ( DNS Rebinding ) + Socket in FLASH](http://www.jumperz.net/index.php?i=2&a=3&b=3)\
57 | [Iframe HTTP Ping](http://ha.ckers.org/blog/20070119/iframe-http-ping/)\
58 | [Read Firefox Settings (PoC)](http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/)\
59 | [Stealing Mouse Clicks for Banner Fraud](http://ha.ckers.org/blog/20070116/stealing-mouse-clicks-for-banner-fraud/)\
60 | [(Non-Persistent) Untraceable XSS Attacks](https://kuza55.blogspot.com/2007/03/non-persistent-untraceable-xss-attacks.html)\
61 | [Inter Protocol Exploitation](http://ha.ckers.org/blog/20070411/intra-protocol-exploitation/)\
62 | [Detecting Default Browser in IE](http://ha.ckers.org/blog/20070319/detecting-default-browser-in-ie/)\
63 | [Bypass port blocking in Firefox, Opera and Konqueror.](http://bindshell.net/papers/ftppasv)\
64 | [LocalRodeo Detection](http://ha.ckers.org/blog/20070403/localrodeo-detection/)\
65 | [Image Names Gone Bad](http://ha.ckers.org/blog/20070209/image-names-gone-bad/)\
66 | [IE Sends Local Addresses in Referer Header](http://ha.ckers.org/blog/20070325/ie-sends-local-addresses-in-referer-header/)\
67 | [PDF XSS Can Compromise Your Machine](http://ha.ckers.org/blog/20070103/pdf-xss-can-compromise-your-machine/)\
68 | [Universal XSS in Adobe's Acrobat Reader Plugin](http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0062.html)\
69 | [Firefox Popup Blocker Allows Reading Arbitrary Local Files](http://www.securiteam.com/securitynews/5JP051FKKE.html)\
70 | [IE7.0 Detector](http://ha.ckers.org/blog/20070210/ie70-detector/)\
71 | [overwriting cookies on other people's domains in Firefox.](http://lcamtuf.dione.cc/ffhostname.html)\
72 | [Embeding SVG That Contains XSS Using Base64 Encoding in Firefox](http://ha.ckers.org/blog/20070216/embeding-svg-that-contains-xss-using-base64-encoding-in-firefox/)\
73 | [Firefox Header Redirection JavaScript Execution](http://ha.ckers.org/blog/20070309/firefox-header-redirection-javascript-execution/)\
74 | [More URI Stuff... (IE's Resouce URI)](http://xs-sniper.com/blog/2007/07/20/more-uri-stuff-ies-resouce-uri/)\
75 | [Hacking without 0days: Drive-by Java](https://www.gnucitizen.org/blog/hacking-without-0days-drive-by-java/)\
76 | [Google Urchin password theft madness](https://www.gnucitizen.org/blog/google-urchin-password-theft-madness)\
77 | [Username Enumeration Vulnerabilities](https://www.gnucitizen.org/blog/username-enumeration-vulnerabilities)\
78 | [Client-side SQL Injection Attacks](https://www.gnucitizen.org/blog/client-side-sql-injection-attacks)\
79 | [Content-Disposition Hacking](https://www.gnucitizen.org/blog/content-disposition-hacking)\
80 | [Flash Cookie Object Tracking](https://www.gnucitizen.org/blog/flash-cookie-object-tracking/)\
81 | [Java JAR Attacks and Features](https://www.gnucitizen.org/blog/java-jar-attacks-and-features)\
82 | [Severe XSS in Google and Others due to the JAR protocol issues](https://www.gnucitizen.org/blog/severe-xss-in-google-and-others-due-to-the-jar-protocol-issues)\
83 | [Web Mayhem: Firefox's JAR: Protocol issues](https://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues) ([bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=369814))\
84 | [0DAY: QuickTime pwns Firefox](https://www.gnucitizen.org/projects/0day-quicktime-pwns-firefox/)\
85 | [Exploiting Second Life](https://www.securityevaluators.com/sl/)
86 | 


--------------------------------------------------------------------------------
/2008.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2008
 2 | 
 3 | [CUPS Detection](https://jeremiahgrossman.blogspot.com/2008/03/fun-with-cups.html) \
 4 | [CSRFing the uTorrent plugin](https://r00tin.blogspot.com/2008/04/utorrent-pwn3d.html) \
 5 | [Clickjacking / Videojacking](https://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html) \
 6 | [Bypassing URL Authentication and Authorization with HTTP Verb Tampering](https://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf) \
 7 | [I used to know what you watched, on YouTube (CSRF + Crossdomain.xml)](https://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html) \
 8 | [Safari Carpet Bomb](http://www.dhanjani.com/blog/2008/05/safari-carpet-b.html) \
 9 | [Flash clipboard Hijack](https://blogs.adobe.com/psirt/2008/09/clipboard_attack_update.html) \
10 | [Flash Internet Explorer security model bug](http://blog.guya.net/2008/09/10/bug-in-internet-explorer-security-model-when-embedding-flash/) \
11 | [Frame Injection Fun](https://www.gnucitizen.org/blog/frame-injection-fun/) \
12 | [Free MacWorld Platinum Pass? Yes in 2008!](http://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.html) \
13 | [Diminutive Worm, 161 byte Web Worm](http://ha.ckers.org/blog/20080110/diminutive-worm-contest-wrapup/) \
14 | [SNMP XSS Attack](http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-05) ([1](http://www.procheckup.com/vulnerability_manager/vulnerabilities/paper-04)) \
15 | [Res Timing File Enumeration Without JavaScript in IE0](http://ha.ckers.org/blog/20080227/res-timing-file-enumeration-without-javascript-in-ie70/) \
16 | [Stealing Basic Auth with Persistent XSS](https://schmoil.blogspot.com/2008/03/stealing-basic-auth-with-persistent-xss.html) \
17 | [Smuggling SMTP through open HTTP proxies](https://schmoil.blogspot.com/2008/03/smuggling-smtp-through-open-http.html) \
18 | [Collecting Lots of Free 'Micro-Deposits'](https://blog.wired.com/27bstroke6/2008/05/man-allegedly-b.html) \
19 | [Using your browser URL history to estimate gender](http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-estimate-gender/) \
20 | [Cross-site File Upload Attacks](https://www.gnucitizen.org/blog/cross-site-file-upload-attacks/) \
21 | [Same Origin Bypassing Using Image Dimensions](http://i8jesus.com/?p=13) \
22 | [HTTP Proxies Bypass Firewalls](http://ha.ckers.org/blog/20080520/http-proxies-bypass-firewalls/) \
23 | [Join a Religion Via CSRF](http://ha.ckers.org/blog/20080403/join-a-religion-via-csrf/) \
24 | [Cross-domain leaks of site logins via Authenticated CSS](https://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html) \
25 | [JavaScript Global Namespace Pollution](https://www.gnucitizen.org/blog/javascript-global-namespace-pollution/) \
26 | [GIFAR](http://riosec.com/how-to-create-a-gifar) \
27 | [HTML/CSS Injections - Primitive Malicious Code](http://i8jesus.com/?p=10) \
28 | [Hacking Intranets Through Web Interfaces](http://www.sectheory.com/intranet-hacking.htm) \
29 | [Cookie Path Traversal](https://kuzablogspot.com/2008/07/cookie-path-traversal.html) \
30 | [Racing to downgrade users to cookie-less authentication](https://kuzablogspot.com/2008/02/racing-to-downgrade-users-to-cookie.html) \
31 | [MySQL and SQL Column Truncation Vulnerabilities](http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/) \
32 | [Building Subversive File Sharing With Client Side Applications](http://www.sectheory.com/file-sharing.htm) \
33 | [Firefox XML injection into parse of remote XML](http://scary.beasts.org/security/CESA-2008-html) \
34 | [Firefox cross-domain information theft (simple text strings, some CSV)](http://scary.beasts.org/security/CESA-2008-html) \
35 | [Firefox 2 and WebKit nightly cross-domain image theft](http://scary.beasts.org/security/CESA-2008-html) \
36 | [Browser's Ghost Busters](https://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html) \
37 | [Exploiting XSS vulnerabilities on cookies](https://sirdarckcat.blogspot.com/2008/01/exploiting-xss-vulnerabilities-on.html) \
38 | [Breaking Google Gears' Cross-Origin Communication Model](http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html) \
39 | [Flash Parameter Injection](http://blog.watchfire.com/wfblog/2008/10/flash-parameter.html) \
40 | [Cross Environment Hopping](http://blog.watchfire.com/wfblog/2008/06/cross-environ-html) \
41 | [Exploiting Logged Out XSS Vulnerabilities](https://kuzablogspot.com/2008/02/exploiting-logged-out-xss.html) \
42 | [Exploiting CSRF Protected XSS](https://kuzablogspot.com/2008/02/exploiting-csrf-protected-xss.html) \
43 | [ActiveX Repurposing](https://carnal0wnage.blogspot.com/2008/08/owning-client-without-and-exploit.html), ([1](https://www.sensepost.com/blog/html), [2)](http://www.networkworld.com/news/2008/080708-black-hat-ssl-vpn-security.html) \
44 | [Tunneling tcp over http over sql-injection](https://www.sensepost.com/research/reDuh/SensePost_tgz) \
45 | [Arbitrary TCP over uploaded pages](https://www.sensepost.com/research/reDuh/) \
46 | [Local DoS on CUPS to a remote exploit via specially-crafted webpage](https://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/) ([1](http://lab.gnucitizen.org/projects/cups-0day)) \
47 | [JavaScript Code Flow Manipulation](http://blog.watchfire.com/wfblog/2008/06/javascript-code.html) \
48 | [Common localhost dns misconfiguration can lead to "same site" scripting](http://seclists.org/bugtraq/2008/Jan/html) \
49 | [Pulling system32 out over blind SQL Injection](http://blueinfy.com/wp/blindsql.pdf) \
50 | [Dialog Spoofing - Firefox Basic Authentication](http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx) \
51 | [Skype cross-zone scripting vulnerability](http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx) \
52 | [Safari pwns Internet Explorer](http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx) \
53 | [IE "Print Table of Links" Cross-Zone Scripting Vulnerability](http://aviv.raffon.net/2008/05/14/InternetExplorerQuotPrintTableOfLinksquotCrossZoneScriptingVulnerability.aspx) \
54 | [A different Opera](http://aviv.raffon.net/2008/10/30/ADifferentOpera.aspx) \
55 | [Abusing HTML 5 Structured Client-side Storage](http://trivero.secdiscover.com/html5whitepaper.pdf) \
56 | [SSID Script Injection](http://usefulfor.com/security/2008/08/04/ssid-script-injection/) \
57 | [DHCP Script Injection](http://usefulfor.com/security/2008/08/04/dhcp-script-injection/) \
58 | [File Download Injection](https://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf) \
59 | [Navigation Hijacking (Frame/Tab Injection Attacks)](https://www.gnucitizen.org/blog/hijacking-innocent-frames/) \
60 | [UPnP Hacking via Flash](https://www.gnucitizen.org/blog/hacking-the-interwebs/) \
61 | [Total surveillance made easy with VoIP phone](https://www.gnucitizen.org/projects/total-surveillance-made-easy-with-voip-phones/) \
62 | [Social Networks Evil Twin Attacks](https://www.gnucitizen.org/blog/social-networks-evil-twin-attacks/) \
63 | [Recursive File Include DoS](http://websecurity.com.ua/2047/) \
64 | [Multi-pass filters bypass](http://websecurity.com.ua/2115/) \
65 | [Session Extending](http://websecurity.com.ua/2233/) \
66 | [Code Execution via XSS](http://securityvulns.ru/Udocumenthtml) ([1](http://securityvulns.ru/Udocumenthtml)) \
67 | [Redirector's hell](http://websecurity.com.ua/2670/) \
68 | [Persistent SQL Injection](http://securityvulns.ru/Vdocumenthtml) \
69 | [JSON Hijacking with UTF-7](http://powerofcommunity.net/poc2008/hasegawa.pptx) \
70 | [SQL Smuggling](http://www.comsecglobal.com/FrameWork/Upload/SQL_Smuggling.pdf) \
71 | [Abusing PHP Sockets](http://www.secforce.co.uk/media/presentations/OWASP_Abusing_PHP_sockets.pdf) ([1](http://www.secforce.co.uk/media/tools/socket_attack.zip), [2](http://www.secforce.co.uk/media/demos/PHP_socket_hijacking_demo.html)) \
72 | [CSRF on Novell GroupWise WebAccess](http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-21) 
73 | 


--------------------------------------------------------------------------------
/2009.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2009
 2 | 
 3 | [Persistent Cookies and DNS Rebinding Redux](http://ha.ckers.org/blog/20090120/persistent-cookies-and-dns-rebinding-redux/) \
 4 | [iPhone SSL Warning and Safari Phishing](http://ha.ckers.org/blog/20090329/iphone-ssl-warning-and-safari-phishing/) \
 5 | [RFC 1918 Blues](http://ha.ckers.org/blog/20090608/rfc1918-blues/) \
 6 | [Slowloris HTTP DoS](http://ha.ckers.org/blog/20090617/slowloris-http-dos/) \
 7 | [CSRF And Ignoring Basic/Digest Auth](http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/) \
 8 | [Hash Information Disclosure Via Collisions - The Hard Way](http://ha.ckers.org/blog/20090713/hash-information-disclosure-via-collisions-the-hard-way/) \
 9 | [Socket Capable Browser Plugins Result In Transparent Proxy Abuse](http://www.thesecuritypractice.com/the_security_practice/2009/03/socket-capable-browser-plugins-result-in-transparent-proxy-abuse.html) \
10 | [XMLHTTPReqest "Ping" Sweeping in Firefox 5+](http://ha.ckers.org/blog/20090720/xmlhttpreqest-ping-sweeping-in-firefox-35/) \
11 | [Session Fixation Via DNS Rebinding](http://ha.ckers.org/blog/20091116/session-fixation-via-dns-rebinding/) \
12 | [Quicky Firefox DoS](http://ha.ckers.org/blog/20090727/quicky-firefox-dos/) \
13 | [DNS Rebinding for Credential Brute Force](http://ha.ckers.org/blog/20091117/dns-rebinding-for-credential-brute-force/) \
14 | [SMBEnum](http://ha.ckers.org/blog/20090809/smbenum/) \
15 | [DNS Rebinding for Scraping and Spamming](http://ha.ckers.org/blog/20091118/dns-rebinding-for-scraping-and-spamming/) \
16 | [SMB Decloaking](http://ha.ckers.org/blog/20090811/smb-decloaking/) \
17 | [De-cloaking in IE0 Via Windows Variables](http://ha.ckers.org/blog/20090810/de-cloaking-in-ie70-via-windows-variables/) \
18 | [itms Decloaking](http://ha.ckers.org/blog/20090819/itms-decloaking/) \
19 | [Flash Origin Policy Issues](http://foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html) \
20 | [Cross-subdomain Cookie Attacks](http://skeptikal.org/2009/11/cross-subdomain-cookie-attacks.html) \
21 | [HTTP Parameter Pollution (HPP)](http://blog.mindedsecurity.com/2009/05/http-parameter-pollution-new-web-attack.html) \
22 | [How to use Google Analytics to DoS a client from some website.](https://sirdarckcat.blogspot.com/2009/04/how-to-use-google-analytics-to-dos.html) \
23 | [Our Favorite XSS Filters and how to Attack them](https://sirdarckcat.blogspot.com/2009/08/our-favorite-xss-filters-and-how-to.html) \
24 | [Location based XSS attacks](http://www.thespanner.co.uk/2008/12/01/location-based-xss-attacks/) \
25 | [PHPIDS bypass](http://www.thespanner.co.uk/2009/01/04/phpids-bypass/) \
26 | [I know what your friends did last summer](http://www.thespanner.co.uk/2009/01/07/i-know-what-your-friends-did-last-summer/) \
27 | [Detecting IE in 12 bytes](http://www.thespanner.co.uk/2009/01/28/detecting-ie-in-12-bytes/) \
28 | [Detecting browsers javascript hacks](http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/) \
29 | [Inline UTF-7 E4X javascript hijacking](http://www.thespanner.co.uk/2009/02/24/inline-utf-7-e4x-javascript-hijacking/) \
30 | [HTML5 XSS](http://www.thespanner.co.uk/2009/03/20/html5-xss/) \
31 | [Opera XSS vectors](http://www.thespanner.co.uk/2009/05/08/opera-xss-vectors/) \
32 | [New PHPIDS vector](http://www.thespanner.co.uk/2009/06/01/new-phpids-vector/) \
33 | [Bypassing CSP for fun, no profit](http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/) \
34 | [Twitter misidentifying context](http://www.thespanner.co.uk/2009/11/23/twitter-misidentifying-context/) \
35 | [Ping pong obfuscation](http://www.thespanner.co.uk/2009/11/23/ping-pong-obfuscation/) \
36 | [HTML5 new XSS vectors](http://www.thespanner.co.uk/2009/12/06/html5-new-xss-vectors/) \
37 | [About CSS Attacks](https://sirdarckcat.blogspot.com/2008/10/about-css-attacks.html) \
38 | [Web pages Detecting Virtualized Browsers and other tricks](https://jeremiahgrossman.blogspot.com/2009/08/web-pages-detecting-virtualized.html) \
39 | [Results, Unicode Left/Right Pointing Double Angel Quotation Mark](https://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html) \
40 | [Detecting Private Browsing Mode](https://jeremiahgrossman.blogspot.com/2009/03/detecting-private-browsing-mode.html) \
41 | [Cross-domain search timing](https://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html) \
42 | [Bonus Safari XXE (only affecting Safari 4 Beta)](https://scarybeastsecurity.blogspot.com/2009/06/bonus-safari-xxe-only-affecting-safari.html) \
43 | [Apple's Safari 4 also fixes cross-domain XML theft](https://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-also-fixes-cross-domain.html) \
44 | [Apple's Safari 4 fixes local file theft attack](https://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.html) \
45 | [A more plausible E4X attack](https://scarybeastsecurity.blogspot.com/2009/05/more-plausible-e4x-attack.html) \
46 | [A brief description of how to become a CA](https://schmoil.blogspot.com/2009/01/brief-description-of-how-to-become-ca.html) \
47 | [Creating a rogue CA certificate](http://www.phreedom.org/research/rogue-ca/) \
48 | [Browser scheme/slash quirks](http://i8jesus.com/?p=37) \
49 | [Cross-protocol XSS with non-standard service ports](http://i8jesus.com/?p=75) \
50 | [Forget sidejacking, clickjacking, and carjacking: enter "Formjacking"](http://i8jesus.com/?p=48) \
51 | [MD5 extension attack](http://netifera.com/research) \
52 | [Attack - PDF Silent HTTP Form Repurposing Attacks](http://www.secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf) \
53 | [XSS Relocation Attacks through Word Hyperlinking](http://www.secniche.org/papers/SNS_09_01_Evad_Xss_Filter_Msword.pdf) \
54 | [Hacking CSRF Tokens using CSS History Hack](http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack/) \
55 | [Hijacking Opera's Native Page using malicious RSS payloads](http://securethoughts.com/2009/10/hijacking-operas-native-page-using-malicious-rss-payloads/) \
56 | [Millions of PDF invisibly embedded with your internal disk paths](http://securethoughts.com/2009/11/millions-of-pdf-invisibly-embedded-with-your-internal-disk-paths/) \
57 | [Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection](http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/) \
58 | [Pwning Opera Unite with Inferno's Eleven](http://securethoughts.com/2009/08/pwning-opera-unite-with-infernos-eleven/) \
59 | [Using Blended Browser Threats involving Chrome to steal files on your computer](http://securethoughts.com/2009/11/using-blended-browser-threats-involving-chrome-to-steal-files-on-your-computer/) \
60 | [Bypassing OWASP ESAPI XSS Protection inside Javascript](http://securethoughts.com/2009/08/bypassing-owasp-esapi-xss-protection-inside-javascript/) \
61 | [Hijacking Safari 4 Top Sites with Phish Bombs](http://securethoughts.com/2009/08/hijacking-safari-4-top-sites-with-phish-bombs/) \
62 | [Yahoo Babelfish - Possible Frame Injection Attack - Design Stringency](https://zeroknock.blogspot.com/2009/12/yahoo-babelfish-possible-inline-iframe.html) \
63 | [Gmail - Google Docs Cookie Hijacking through PDF Repurposing](http://secniche.org/gmd_hijack/gc_hijack.xhtml) & [PDF](http://secniche.org/gmd_hijack/advisory_gmail_google_docs_pdf_repurposing_attack.pdf) \
64 | [IE8 Link Spoofing - Broken Status Bar Integrity](http://secniche.org/ie_spoof_myth/) \
65 | [Blind SQL Injection: Inference thourgh Underflow exception](https://dbellucci.blogspot.com/2009/12/blind-sql-injection-inference-through.html) \
66 | [Exploiting Unexploitable XSS](http://stephensclafani.com/2009/05/26/exploiting-unexploitable-xss/) \
67 | [Clickjacking & OAuth](http://stephensclafani.com/2009/05/04/clickjacking-oauth/) \
68 | [Google Translate - Google User Content - File Uploading Cross - XSS and Design Stringency - A Talk](https://zeroknock.blogspot.com/2009/12/google-translate-google-user-content.html) \
69 | [Active Man in the Middle Attacks](http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html) \
70 | [Cross-Site Identification (XSid)\
71 |     ](http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html) \
72 | [Microsoft IIS with Metasploit evil.asp;.jpg](http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx) \
73 | [MSWord Scripting Object XSS Payload Execution Bug and Random CLSID Stringency](https://zeroknock.blogspot.com/2009/12/google-chrome-webkit-msword-scripting.html) \
74 | [Generic cross-browser cross-domain theft](https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html) \
75 | [Popup & Focus URL Hijacking](http://ha.ckers.org/blog/20091228/popup-focus-url-hijacking/) \
76 | [Advanced SQL injection to operating system full control](https://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-slides.pdf) ([whitepaper](https://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-whitepaper.pdf)) \
77 | [Expanding the control over the operating system from the database](http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database) \
78 | [HTML+TIME XSS attacks](https://pastebin.com/f7ac1cced) \
79 | [Enumerating logins via Abuse of Functionality vulnerabilities](http://websecurity.com.ua/2840/) \
80 | [Hellfire for redirectors](http://websecurity.com.ua/2854/) \
81 | [DoS attacks via Abuse of Functionality vulnerabilities](http://websecurity.com.ua/2981/) \
82 | [URL Spoofing vulnerability in bots of search engines](http://www.webappsec.org/lists/websecurity/archive/2009-04/msghtml) ([#2](http://www.webappsec.org/lists/websecurity/archive/2009-04/msghtml)) \
83 | [URL Hiding - new method of URL Spoofing attacks](http://websecurity.com.ua/3383/) \
84 | [Exploiting Facebook Application XSS Holes to Make API Requests](http://theharmonyguy.com/2009/10/09/the-month-of-facebook-bugs-report/) \
85 | [Unauthorized TinyURL URL Enumeration Vulnerability](http://securethoughts.com/2009/02/unauthorized-tinyurl-url-enumeration-vulnerability/) 
86 | 


--------------------------------------------------------------------------------
/2010.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2010
 2 | 
 3 | [Evercookie](http://samy.pl/evercookie/) \
 4 | [Hacking Auto-Complete ](https://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html)([Safari](https://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html) v1, [Safari v2 TabHack](https://jeremiahgrossman.blogspot.com/2010/09/safari-autofill-hack-lives.html), [Firefox](https://jeremiahgrossman.blogspot.com/2010/07/in-firefox-we-cant-read-auto-complete.html), [Internet Explorer](https://jeremiahgrossman.blogspot.com/2010/07/stealing-autocomplete-form-data-in.html)) \
 5 | [Cookie Eviction](https://jeremiahgrossman.blogspot.com/2010/07/patching-auto-complete-vulnerabilities.html) \
 6 | [Converting unimplementable Cookie-based XSS to a persistent attack](https://jeremiahgrossman.blogspot.com/2010/02/converting-unimplementable-cookie-based.html) \
 7 | [phpwn: Attack on PHP sessions and random numbers](http://samy.pl/phpwn/) \
 8 | [NAT Pinning: Penetrating routers and firewalls from a web page (forcing router to port forward)](http://samy.pl/natpin/) \
 9 | [Mapping a web browser to GPS coordinates via router XSS + Google Location Services without prompting the user](http://samy.pl/mapxss/) \
10 | [XSHM Mark 2](http://ha.ckers.org/blog/20100901/xshm-mark-2/) \
11 | [MitM DNS Rebinding SSL/TLS Wildcards and XSS](http://ha.ckers.org/blog/20100822/mitm-dns-rebinding-ssltls-wildcards-and-xss/) \
12 | [Using Cookies For Selective DoS and State Detection](http://ha.ckers.org/blog/20100822/using-cookies-for-selective-dos-and-state-detection/) \
13 | [Quick Proxy Detection](http://ha.ckers.org/blog/20100820/quick-proxy-detection/) \
14 | [Flash Camera and Mic Remember Function and XSS](http://ha.ckers.org/blog/20100718/flash-camera-and-mic-remember-funtion-and-xss/) \
15 | [Improving HTTPS Side Channel Attacks](http://ha.ckers.org/blog/20100622/improving-https-side-channel-attacks/) \
16 | [Side Channel Attacks in SSL](http://ha.ckers.org/blog/20100621/side-channel-attacks-in-ssl/) \
17 | [Turning XSS into Clickjacking](http://ha.ckers.org/blog/20100614/turning-xss-into-clickjacking/) \
18 | [Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution](http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html) \
19 | [CSS History Hack In Firefox Without JavaScript for Intranet Portscanning](http://ha.ckers.org/blog/20100125/css-history-hack-in-firefox-without-javascript-for-intranet-portscanning/) \
20 | [Popup & Focus URL Hijacking](http://ha.ckers.org/blog/20091228/popup-focus-url-hijacking/) \
21 | [Hacking Facebook with HTML5](http://m-austin.com/blog/?p=19) \
22 | [Stealing entire Auto-Complete data in Google Chrome](http://blog.andlabs.org/2010/08/stealing-entire-auto-complete-data-in.html) \
23 | [Chrome and Safari users open to stealth HTML5 AppCache attack](http://blog.andlabs.org/2010/06/chrome-and-safari-users-open-to-stealth.html) \
24 | [DNS Rebinding on Java Applets](http://blog.mindedsecurity.com/2010/10/dns-rebinding-on-java-applets.html) \
25 | [Strokejacking](http://seclists.org/fulldisclosure/2010/Mar/232) \
26 | [The curse of inverse strokejacking](https://lcamtuf.blogspot.com/2010/06/curse-of-inverse-strokejacking.html) \
27 | [Re-visiting JAVA De-serialization: It can't get any simpler than this !!](http://blog.andlabs.org/2010/09/re-visiting-java-de-serialization-it.html) \
28 | [Fooling B64_Encode(Payload) on WAFs and filters](http://blog.mindedsecurity.com/2010/04/fooling-b64encodepayload-on-wafs-and.html) \
29 | [MySQL Stacked Queries with SQL Injection...sort of](http://blog.mindedsecurity.com/2010/04/mysql-stacked-queries-with-sql.html) \
30 | [A Twitter DomXss, a wrong fix and something more](http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html) \
31 | [Get Internal Network Information with Java Applets](http://blog.mindedsecurity.com/2010/10/get-internal-network-information-with.html) \
32 | [Java DSN Rebinding + Java Same IP Policy = The Internet Mayhem](http://blog.mindedsecurity.com/2010/10/java-dsn-rebinding-java-same-ip-policy.html) \
33 | [Java Applet Same IP Host Access](http://blog.mindedsecurity.com/2010/10/java-applet-same-ip-host-access.html) \
34 | [ASP.NET 'Padding Oracle' Crypto Attack](https://threatpost.com/en_us/blogs/padding-oracle-crypto-attack-affects-millions-aspnet-apps-091310) \
35 | [Posting raw XML cross-domain](https://scarybeastsecurity.blogspot.com/2010/01/posting-raw-xml-cross-domain.html) \
36 | [Generic cross-browser cross-domain theft](https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html) \
37 | [One vector to rule them all](http://www.thespanner.co.uk/2010/09/15/one-vector-to-rule-them-all/) \
38 | [HTTP POST DoS](http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/228000532/index.html) \
39 | [Penetrating Intranets through Adobe Flex Applications](http://www.gdssecurity.com/l/b/2010/03/17/penetrating-intranets-through-adobe-flex-applications/) \
40 | [No Alnum JavaScript](https://extraexploit.blogspot.com/2010/10/dollars-javascript-code-yet-another.html) ([cheat sheet](http://sla.ckers.org/forum/read.php?24,33349), [jjencode demo](http://utf-jp/public/jjencode.html)) \
41 | [Attacking HTTPS with Cache Injection](https://www.youtube.com/watch?v=bt0Qh9c59_c) \
42 | [Tapjacking: owning smartphone browsers](https://www.youtube.com/watch?v=8GC7lqjJU6s) \
43 | [Breaking into a WPA network with a webpage](https://www.youtube.com/watch?v=-feE0twnCsw) \
44 | [XSS-Track: How to quietly track a whole website through single XSS](http://blog.kotowicz.net/2010/11/xss-track-how-to-quietly-track-whole.html) \
45 | [Next Generation Clickjacking](http://contextis.co.uk/resources/white-papers/clickjacking/) \
46 | [XSSing client-side dynamic HTML includes by hiding HTML inside images and more](http://blog.andlabs.org/2010/08/xssing-client-side-dynamic-html.html) \
47 | [Stroke triggered XSS and StrokeJacking](http://blog.andlabs.org/2010/04/stroke-triggered-xss-and-strokejacking_html) \
48 | [Internal Port Scanning via Crystal Reports](https://spl0it.wordpress.com/2010/12/02/internal-port-scanning-via-crystal-reports/) \
49 | [Lost in Translation (ASP's HomoXSSuality)](https://hackademix.net/2010/08/17/lost-in-translation-asps-homoxssuality/) \
50 | [Cross Site URL Hijacking by using Error Object in Mozilla Firefox](https://soroush.secproject.com/blog/2010/05/cross-site-url-hijacking-by-using-error-object-in-mozilla-firefox/) \
51 | [JavaSnoop](https://www.aspectsecurity.com/tools/javasnoop/) \
52 | [IIS1 Directory Authentication Bypass by using ":$I30:$Index_Allocation"](https://irsdlwordpress.com/2010/07/01/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/) \
53 | [Universal XSS in IE8](http://pus/ie8xss/) \
54 | [padding oracle web attack](https://www.usenix.org/events/woot10/tech/full_papers/Rizzo.pdf) ([poet](http://netifera.com/research/), [Padbuster](http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/), [demo](https://www.youtube.com/watch?v=yghiC_U2RaM)) \
55 | [IIS6/ASP & file upload for fun and profit](http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/) \
56 | [Google Chrome HTTP AUTH Dialog Spoofing through Realm Manipulation](https://zeroknock.blogspot.com/2010/08/google-chrome-http-auth-dialog-through.html) \
57 | [NoScript Bypass - "Reflective XSS" through Union SQL Poisoning Trick](https://www.youtube.com/TheKn0ck#p/a/u/1/r-kgKNspqjQ) \
58 | [Persistent Cross Interface Attacks](https://secniche.blogspot.com/2010/11/malware-paradox-cia-aavar-html) \
59 | [Port Scanning with HTML5 and JS-Recon](http://blog.andlabs.org/2010/12/port-scanning-with-html5-and-js-recon.html) \
60 | [Performing DDoS attacks with HTML5 Cross Origin Requests & WebWorkers](http://blog.andlabs.org/2010/12/performing-ddos-attacks-with-htmlhtml) \
61 | [Cracking hashes in the JavaScript cloud with Ravan](http://blog.andlabs.org/2010/12/cracking-hashes-in-javascript-cloud.html) \
62 | [Will it Blend?](http://xs-sniper.com/blog/2010/12/17/will-it-blend/) \
63 | [Stored XSS Vulnerability @ Amazon](http://drwetter.eu/amazon/) \
64 | [Poisoning proxy caches using Java/Flash/Web Sockets](http://www.adambarth.com/experimental/websocket.pdf) \
65 | [How to Conceal XSS Injection in HTML5](http://samuli.hakoniemi.net/how-to-conceal-xss-injection-in-html5/) \
66 | [Expanding the Attack Surface](http://xs-sniper.com/blog/2010/12/22/expanding-the-attack-surface/) \
67 | [Chronofeit Phishing](https://skeletonscribe.blogspot.com/2010/12/chronofeit-phishing.html) \
68 | [Non-Obvious (Crypto) Bugs by Example](https://docs.google.com/gview?url=http://gregorkopf.de/slides_berlinsides_pdf?pli%3D0&pli=1) \
69 | [SQLi filter evasion cheat sheet (MySQL)](https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/) \
70 | [Tabnabbing: A New Type of Phishing Attack](http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/) \
71 | [UI Redressing: Attacks and Countermeasures Revisited](http://ui-redressing.mniemietz.de/) 
72 | 


--------------------------------------------------------------------------------
/2011.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2011
 2 | 
 3 | [Bypassing Flash's local-with-filesystem Sandbox](http://xs-sniper.com/blog/2011/01/04/bypassing-flash%E2%80%99s-local-with-filesystem-sandbox/) \
 4 | [Abusing HTTP Status Codes to Expose Private Information](https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information) \
 5 | [SpyTunes: Find out what iTunes music someone else has](http://andrewmcafee.org/2011/02/mcafee-apple-itunes-privacy-hole-violation/) \
 6 | [CSRF: Flash + 307 redirect = Game Over](http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html) \
 7 | [Close encounters of the third kind (client-side JavaScript vulnerabilities)](https://tinyurl.com/5w6koqj) \
 8 | [Tracking users that block cookies with a HTTP redirect](https://elie.im/blog/security/tracking-users-that-block-cookies-with-a-http-redirect/) \
 9 | [The Failure of Noise-Based Non-Continuous Audio Captchas](https://elie.im/publication/the-failure-of-noise-based-non-continuous-audio-captchas) \
10 | [Kindle Touch (5.0) Jailbreak/Root and SSH](http://yifan.lu/2011/12/10/kindle-touch-5-0-jailbreakroot-and-ssh/) \
11 | [NULLs in entities in Firefox](http://www.thespanner.co.uk/2011/12/05/nulls-in-entities-in-firefox/) \
12 | [Timing Attacks on CSS Shaders](http://www.schemehostport.com/2011/12/timing-attacks-on-css-shaders.html) \
13 | [CSRF with JSON -- leveraging XHR and CORS](https://shreeraj.blogspot.com/2011/11/csrf-with-json-leveraging-xhr-and-cors_28.html) \
14 | [Double eval() for DOM based XSS](https://shreeraj.blogspot.com/2011/12/double-eval-for-dom-based-xss.html) \
15 | [Hidden XSS Attacking the Desktop & Mobile Platforms](http://kyleosborn.org/2011/10/09/the-hidden-xss-attacking-the-desktop-mobile-platforms-slides-video/) \
16 | [Rapid history extraction through non-destructive cache timing (v8)](http://lcamtuf.coredump.cx/cachetime/) \
17 | [Lotus Notes Formula Injection](https://aboulton.blogspot.com/2011/11/new-type-of-vulnerability-lotus-notes.html) \
18 | [Stripping Referrer for fun and profit](http://blog.kotowicz.net/2011/10/stripping-referrer-for-fun-and-profit.html) \
19 | [How to upload arbitrary file contents cross-domain](http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html) ([2](http://blog.kotowicz.net/2011/05/cross-domain-arbitrary-file-upload.html)) \
20 | [Exploiting the unexploitable XSS with clickjacking](http://blog.kotowicz.net/2011/03/exploiting-unexploitable-xss-with.html) \
21 | [How to get SQL query contents from SQL injection flaw](http://blog.kotowicz.net/2011/01/how-to-get-sql-query-contents-from-sql.html) \
22 | [XSS-Track as a HTML5 WebSockets traffic sniffer](http://blog.kotowicz.net/2011/01/xss-track-as-html5-websockets-traffic.html) \
23 | [Cross domain content extraction with fake captcha](http://blog.kotowicz.net/2011/07/cross-domain-content-extraction-with.html) \
24 | [Autocomplete..again?!](http://blog.mindedsecurity.com/2011/10/autocompleteagain.html) \
25 | [JSON-based XSS exploitation](http://blog.watchfire.com/wfblog/2011/10/json-based-xss-exploitation.html) \
26 | [DNS poisoning via Port Exhaustion](http://blog.watchfire.com/wfblog/2011/10/dns-poisoning-via-port-exhaustion.html) \
27 | [Java Applet Same-Origin Policy Bypass via HTTP Redirect](https://nealpoole.com/blog/2011/10/java-applet-same-origin-policy-bypass-via-http-redirect/) \
28 | [HOW TO: Spy on the Webcams of Your Website Visitors](https://www.feross.org/webcam-spy/) \
29 | [Launch any file path from web page](https://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html) \
30 | [Crowd-sourcing mischief on Google Maps leads customers astray](https://nakedsecurity.sophos.com/2011/09/07/crowd-sourcing-mischief-on-google-maps-leads-customers-astray/) \
31 | [BEAST](https://vnhacker.blogspot.com/2011/09/beast.html) \
32 | [Bypassing Chrome's Anti-XSS filter](http://blog.securitee.org/?p=37) \
33 | [XSS in Skype for iOS](https://superevr.com/blog/2011/xss-in-skype-for-ios/) \
34 | [Cookiejacking](https://sites.google.com/site/tentacoloviola/) \
35 | [Stealth Cookie Stealing (new XSS technique)](http://pauldotcom.com/2011/05/stealth-cookie-stealing-new-xs.html) \
36 | [SurveyMonkey: IP Spoofing](http://blog.c22.cc/2011/04/22/surveymonkey-ip-spoofing/) \
37 | [Using Cross-domain images in WebGL and Chrome 13](https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html) \
38 | [Filejacking: How to make a file server from your browser (with HTML5 of course)](http://blog.kotowicz.net/2011/04/how-to-make-file-server-from-your.html) \
39 | [Exploitation of "Self-Only" Cross-Site Scripting in Google Code](https://amolnaik4.blogspot.com/2011/03/exploitation-of-self-only-cross-site.html) \
40 | [Expression Language Injection](https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit?hl=en_US&pli=1) \
41 | [(DOMinator) Finding DOMXSS with dynamic taint propagation](https://code.google.com/p/dominator/) \
42 | [Facebook: Memorializing a User](https://jeremiahgrossman.blogspot.com/2011/03/robert-rsnake-hansen-age-34-has-passed.html) \
43 | [How To Own Every User On A Social Networking Site](https://blog.whitehatsec.com/how-to-own-every-user-on-a-social-networking-site/) \
44 | [Text-based CAPTCHA Strengths and Weaknesses](https://elie.im/publication/text-based-captcha-strengths-and-weaknesses) \
45 | [Session Puzzling](https://code.google.com/p/puzzlemall/downloads/list) (aka Session Variable Overloading) Video [1](https://www.youtube.com/watch?v=HeP54b52IeQ), [2](https://www.youtube.com/watch?v=iTcOooHbgog), [3](https://www.youtube.com/watch?v=ikIyInm0wAg), [4](https://www.youtube.com/watch?v=-DackF8HsIE) \
46 | [Temporal Session Race Conditions](https://www.youtube.com/watch?v=woWECWwrsSk) Video [2](https://www.youtube.com/watch?v=3k_eJ1bcCro) \
47 | [Google Chrome/ChromeOS sandbox side step via owning extensions](https://media.blackhat.com/bh-us-11/Johansen/BH_US_11_JohnasenOsborn_Hacking_Google_WP.pdf) \
48 | [Excel formula injection in Google Docs](https://dsecrg.blogspot.com/2011/12/excel-formula-injection-in-google-docs.html) \
49 | [Drag and Drop XSS in Firefox by HTML5 (Cross Domain in frames)](https://soroush.secproject.com/blog/2011/12/drag-and-drop-xss-in-firefox-by-html5-cross-domain-in-frames/) \
50 | [CAPTCHA Hax With TesserCap](https://gursevkalra.blogspot.com/2011/11/captcha-hax-with-tessercap.html) \
51 | [Multiple vulnerabilities in Apache Struts2 and property oriented programming with Java](https://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/) \
52 | [Abusing Flash-Proxies for client-side cross-domain HTTP requests](http://polyboy.net/docs/2011_DIMVA_Flash_crossdomain_proxies.pdf) [[slides](http://polyboy.net/docs/Talks/2011_Bitingthehandthatservesyou_DIMVA.pdf)]
53 | 


--------------------------------------------------------------------------------
/2012.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2012
 2 | 
 3 | [CSRF token disclosure via iFRAME and CAPTCHA trickery](https://web.archive.org/web/20170903113359/http://www.computerworld.com/s/article/9234282/Attackers_can_abuse_Yahoo_developer_feature_to_steal_user_emails_other_data) ([2](https://web.archive.org/web/20170903113359/http://threatpost.com/en_us/blogs/bug-hunter-finds-blended-threat-targeting-yahoo-web-site-120312)) \
 4 | [Parasitic computing using 'Cloud Browsers'](https://web.archive.org/web/20170903113359/http://news.ncsu.edu/releases/wms-enck-cloud-browsers/) ([2](https://web.archive.org/web/20170903113359/http://www.darkreading.com/cloud-security/167901092/security/news/240142718/new-hack-abuses-cloud-based-browsers.html)) \
 5 | [Browser Event Hijacking](https://web.archive.org/web/20170903113359/http://labs.neohapsis.com/2012/11/14/browser-event-hijacking/) ([2](https://web.archive.org/web/20170903113359/http://arstechnica.com/security/2012/12/how-script-kiddies-can-hijack-your-browser-to-steal-your-password/), [3](https://web.archive.org/web/20170903113359/http://h43z.blogspot.com/2012/11/whats-real-and-whats-not.html)) \
 6 | [Cross-Site Port Attacks](https://web.archive.org/web/20170903113359/http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-1.html) \
 7 | [How I Hacked StackOverflow](https://web.archive.org/web/20170903113359/http://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html) \
 8 | [Visitor Tracking Without Cookies (or How To Abuse HTTP 301s)](https://web.archive.org/web/20170903113359/http://www.scatmania.org/2012/04/24/visitor-tracking-without-cookies/) \
 9 | [The "I Know..." series. What websites know about you](https://web.archive.org/web/20170903113359/https://www.whitehatsec.com/blog/introducing-the-i-know-series/) \
10 | [Hyperlink Spoofing and the Modern Web](https://web.archive.org/web/20170903113359/http://blogs.msdn.com/b/dross/archive/2012/04/26/hyperlink-spoofing-and-the-modern-web.aspx) \
11 | [Pwning via SSRF (memcached, php-fastcgi, etc)](https://web.archive.org/web/20170903113359/http://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_WP.pdf) ([2](https://web.archive.org/web/20170903113359/http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities), [3](https://web.archive.org/web/20170903113359/http://erpscan.com/press-center/blog/ssrf-via-ws-adressing/)) \
12 | [Using the HTML5 Fullscreen API for Phishing Attacks](https://web.archive.org/web/20170903113359/http://feross.org/html5-fullscreen-api-attack/) \
13 | [Steam Browser Protocol Insecurity](https://web.archive.org/web/20170903113359/http://revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf) \
14 | [Content Smuggling](https://web.archive.org/web/20170903113359/http://xs-sniper.com/blog/2012/10/11/content-smuggling/) \
15 | [Using HTTP headers pollution for mobile networks attacks](https://web.archive.org/web/20170903113359/http://news.softpedia.com/news/Users-of-Mobile-Portals-Exposed-to-HTTP-Header-Pollution-Attacks-Expert-Finds-293540.shtml) ([2](https://web.archive.org/web/20170903113359/http://blog.m-sec.net/2012/new-gsm-vulnerability/)) \
16 | [CRIME](https://web.archive.org/web/20170903113359/http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512) ([2](https://web.archive.org/web/20170903113359/http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/)) \
17 | [Top-Level Universal XSS](https://web.archive.org/web/20170903113359/https://superevr.com/blog/2012/top-level-universal-xss/) \
18 | [Blended Threats and JavaScript](https://web.archive.org/web/20170903113359/https://superevr.com/blog/2012/blended-threats-and-javascript/) \
19 | [Exploiting XSS in Ajax Web Applications](https://web.archive.org/web/20170903113359/https://superevr.com/blog/2012/exploiting-xss-in-ajax-web-applications/) \
20 | [.Net Cross Site Scripting -- Request Validation Bypassing](https://web.archive.org/web/20170903113359/http://www.quotium.com/research/advisories/XSS-NetRequestValidation.php) \
21 | [Stuffing Javascript into DNS names](https://web.archive.org/web/20170903113359/http://www.skullsecurity.org/blog/2010/stuffing-javascript-into-dns-names) \
22 | [Clickjacking Rootkits for Android](https://web.archive.org/web/20170903113359/https://www.youtube.com/watch?v=RxpMPrqnxC0) ([2](https://web.archive.org/web/20170903113359/http://web.ncsu.edu/abstract/technology/wms-jiang-clickjack/)) \
23 | [How Facebook lacked X-Frame-Options and what I did with it](https://web.archive.org/web/20170903113359/http://blog.kotowicz.net/2012/08/how-facebook-lacked-x-frame-options-and.html) \
24 | [IE9 Self-XSS Blackbox Protection bypass](https://web.archive.org/web/20170903113359/http://soroush.secproject.com/blog/2012/08/ie9-self-xss-blackbox-protection-bypass/) \
25 | [Bruteforce of PHPSESSID](https://web.archive.org/web/20170903113359/http://blog.ptsecurity.com/2012/08/not-so-random-numbers-take-two.html) \
26 | [File System API with HTML5 -- Juice for XSS](https://web.archive.org/web/20170903113359/http://shreeraj.blogspot.com/2012/08/file-system-api-with-html5-juice-for-xss.html) \
27 | [How to upload arbitrary file contents cross-domain](https://web.archive.org/web/20170903113359/http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html) \
28 | [Bypassing HTTP Basic Authenitcation in PHP Applications](https://web.archive.org/web/20170903113359/http://armoredcode.com/blog/bypassing-basic-authentication-in-php-applications/) (** potential rediscovery of: [HTExploit -- Bypassing .htaccess restrictions](https://web.archive.org/web/20170903113359/http://www.matiaskatz.com/en/projects/htexploit/) **) \
29 | [XSS: Gaining access to HttpOnly Cookie in 2012](https://web.archive.org/web/20170903113359/http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html) \
30 | [CSS-Only Clickjacking](https://web.archive.org/web/20170903113359/http://jsfiddle.net/gcollazo/UMyEm/embedded/result/) \
31 | [X-Frame-Options (XFO) Detection from Javascript](https://web.archive.org/web/20170903113359/https://www.whitehatsec.com/blog/x-frame-options-xfo-detection-from-javascript/) \
32 | [Fun with data: URLs](https://web.archive.org/web/20170903113359/http://blog.kotowicz.net/2012/04/fun-with-data-urls.html) \
33 | [Browsers Anti-XSS methods in ASP (classic) have been defeated!](https://web.archive.org/web/20170903113359/http://soroush.secproject.com/blog/2012/06/browsers-anti-xss-methods-in-asp-classic-have-been-defeated/) \
34 | [Yes, you can have fun with downloads](https://web.archive.org/web/20170903113359/http://lcamtuf.blogspot.com/2012/05/yes-you-can-have-fun-with-downloads.html) \
35 | [Stiltwalker, exploits weaknesses in the audio version of reCAPTCHA](https://web.archive.org/web/20170903113359/http://www.dc949.org/projects/stiltwalker/) \
36 | [CSS :visited may be a bit overrated](https://web.archive.org/web/20170903113359/http://lcamtuf.blogspot.com/2011/12/css-visited-may-be-bit-overrated.html) \
37 | ["ASPXErrorPath in URL" Technique in Scanning a .Net Web Application](https://web.archive.org/web/20170903113359/http://soroush.secproject.com/blog/2012/06/aspxerrorpath-in-url-technique-in-scanning-a-net-web-application/) \
38 | [Cursorjacking again](https://web.archive.org/web/20170903113359/http://blog.kotowicz.net/2012/01/cursorjacking-again.html) \
39 | [Chrome addon hacking](https://web.archive.org/web/20170903113359/http://blog.kotowicz.net/2012/02/intro-to-chrome-addons-hacking.html) ([2](https://web.archive.org/web/20170903113359/http://blog.kotowicz.net/2012/02/chrome-addons-hacking-want-xss-on.html), [3](https://web.archive.org/web/20170903113359/http://blog.kotowicz.net/2012/03/chrome-addons-hacking-bye-bye-adblock.html), [4](https://web.archive.org/web/20170903113359/http://blog.kotowicz.net/2012/07/xss-chef-chrome-extension-exploitation.html), [5](https://web.archive.org/web/20170903113359/http://blog.kotowicz.net/2012/09/owning-system-through-chrome-extension.html)) \
40 | [Jumping out of Touch Screen Kiosks](https://web.archive.org/web/20170903113359/http://seckb.yehg.net/2012/09/jumping-out-of-touch-screen-kiosks.html) \
41 | [Using POST method to bypass IE-browser protected XSS](https://web.archive.org/web/20170903113359/http://seckb.yehg.net/2012/06/using-post-method-to-bypass-ie-browser.html) \
42 | [Password extraction from Ajax/DOM/HTML5 routine](https://web.archive.org/web/20170903113359/http://shreeraj.blogspot.com/2012/01/password-extraction-from-ajaxdomhtml5.html) \
43 | [Random Number Security in Python](https://web.archive.org/web/20170903113359/http://blog.ptsecurity.com/2012/10/random-number-security-in-python.html) \
44 | [Bypassing Flash's local-with-filesystem Sandbox](https://web.archive.org/web/20170903113359/http://xs-sniper.com/blog/2011/01/04/bypassing-flash%E2%80%99s-local-with-filesystem-sandbox/) \
45 | [RCE through mangled WAR upload into Tomcat App Manager using PUT-in-Gopher-over-XXE](https://web.archive.org/web/20170903113359/http://www.slideshare.net/andrewpetukhov/no-locked-doors-no-windows-barred-hacking-openam-infrastructure/11) ([1](https://web.archive.org/web/20170903113359/https://www.youtube.com/watch?v=ZnsFhGYqI3g)) \
46 | [Using WordPress as a intranet and internet port scanner](https://web.archive.org/web/20170903113359/https://github.com/FireFart/WordpressPingbackPortScanner) \
47 | [UI Redressing Mayhem: Firefox 0-Day And The LeakedIn Affair](https://web.archive.org/web/20170903113359/http://blog.nibblesec.org/2012/12/ui-redressing-mayhem-firefox-0day-and.html) \
48 | [UI Redressing Mayhem: HTTPOnly Bypass PayPwn Style](https://web.archive.org/web/20170903113359/http://blog.nibblesec.org/2012/12/ui-redressing-mayhem-httponly-bypass_19.html) \
49 | [NTLM Relay via HTTP to internet or stealing windows user hashes while using java client](https://web.archive.org/web/20170903113359/http://erpscan.com/press-center/smbrelay-bible-7-ssrf-java-windows-love/) \
50 | [Bypassing CAPTCHAs by Impersonating CAPTCHA Providers](https://web.archive.org/web/20170903113359/http://gursevkalra.blogspot.com/2012/10/bypassing-captchas-by-impersonating.html) ([1](https://web.archive.org/web/20170903113359/http://www.mcafee.com/us/resources/white-papers/foundstone/wp-bypassing-captchas.pdf),[2](https://web.archive.org/web/20170903113359/https://github.com/OpenSecurityResearch/clipcaptcha)) \
51 | [CAPTCHA Re-Riding Attack](https://web.archive.org/web/20170903113359/http://gursevkalra.blogspot.com/2012/03/captcha-re-riding-attack.html) \
52 | [Attacking CAPTCHAs for Fun and Profit](https://web.archive.org/web/20170903113359/http://www.mcafee.com/us/resources/white-papers/foundstone/wp-attacking-captchas-for-fun-profit.pdf) \
53 | [Permanent backdooring of HTML5 client-side application](https://web.archive.org/web/20170903113359/http://securitymusings.com/article/3159/how-a-platform-using-html5-can-affect-the-security-of-your-website) [Apture example]
54 | [Cracking Ruby on Rails Session](https://web.archive.org/web/20170903113359/http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html)s
55 | [Bruteforcing/Abusing search functions with no-rate checks to collect data](https://web.archive.org/web/20170903113359/http://suriya.me/me-and-facebook-a-cautionary-tale/) \
56 | [Cross Context Scripting from within the Browser](https://web.archive.org/web/20170903113359/http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html) ([1](https://web.archive.org/web/20170903113359/http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-rss-rce.html)) \
57 | [Attacking OData: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select)](https://web.archive.org/web/20170903113359/http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pentesters-guide-to-hacking-odata.pdf) \
58 | [Same Origin Spoofing to Attack Client Certificate Sessions](https://web.archive.org/web/20170903113359/https://isecpartners.com/news-events/news/2012/december/an-attack-on-ssl-client-certificates.aspx)
59 | 


--------------------------------------------------------------------------------
/2013.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2013
 2 | 
 3 | [Tor Hidden-Service Passive De-Cloaking](http://web.archive.org/web/20160507023636/https://www.whitehatsec.com/blog/tor-hidden-service-passive-de-cloaking/) \
 4 | [Top 3 Proxy Issues That No One Ever Told You](http://web.archive.org/web/20160507023636/https://www.whitehatsec.com/blog/top-3-proxy-issues-that-no-one-ever-told-you/) \
 5 | [Gravatar Email Enumeration in JavaScript](http://web.archive.org/web/20160507023636/https://www.whitehatsec.com/blog/gravatar-email-enumeration-in-javascript/) \
 6 | [Pixel Perfect Timing Attacks with HTML5](http://web.archive.org/web/20160507023636/http://contextis.co.uk/research/white-papers/pixel-perfect-timing-attacks-html5/) \
 7 | Million Browser Botnet [Video](http://web.archive.org/web/20160507023636/https://www.youtube.com/watch?v=ERJmkLxGRC0) [Briefing](http://web.archive.org/web/20160507023636/http://blackhat.com/us-13/briefings.html#Grossman) \
 8 | [Slideshare](http://web.archive.org/web/20160507023636/http://www.slideshare.net/jeremiahgrossman/million-browser-botnet) \
 9 | [Auto-Complete Hack by Hiding Filled in Input Fields with CSS](http://web.archive.org/web/20160507023636/https://yoast.com/research/autocompletetype.php) \
10 | [Site Plagiarizes Blog Posts, Then Files DMCA Takedown on Originals](http://web.archive.org/web/20160507023636/http://arstechnica.com/science/2013/02/site-plagiarizes-blog-posts-then-files-dmca-takedown-on-originals/) \
11 | [The Case of the Unconventional CSRF Attack in Firefox](http://web.archive.org/web/20160507023636/https://www.whitehatsec.com/blog/the-case-of-an-unconventional-csrf-attack-in-firefox/) \
12 | [Ruby on Rails Session Termination Design Flaw](http://web.archive.org/web/20160507023636/http://maverickblogging.com/logout-is-broken-by-default-ruby-on-rails-web-applications/) \
13 | [HTML5 Hard Disk Filler™ API](http://web.archive.org/web/20160507023636/http://feross.org/fill-disk/) \
14 | [Aaron Patterson -- Serialized YAML Remote Code Execution](http://web.archive.org/web/20160507023636/https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KtmwSbEpzrU) \
15 | [Fireeye -- Arbitrary reading and writing of the JVM process](http://web.archive.org/web/20160507023636/http://threatpost.com/java-zero-day-procession-continues-030113/77575) \
16 | [Timothy Morgan -- What You Didn't Know About XML External Entity Attacks](http://web.archive.org/web/20160507023636/https://www.youtube.com/watch?v=eHSNT8vWLfc) \
17 | [Angelo Prado, Neal Harris, Yoel Gluck -- BREACH](http://web.archive.org/web/20160507023636/http://threatpost.com/breach-compression-attack-steals-https-secrets-in-under-30-seconds/101579) \
18 | [James Bennett -- Django DOS](http://web.archive.org/web/20160507023636/http://threatpost.com/patches-for-django-framework-fix-dos-vulnerability/102323) \
19 | [Phil Purviance -- Don't Use Linksys Routers](http://web.archive.org/web/20160507023636/https://superevr.com/blog/2013/dont-use-linksys-routers/) \
20 | [Mario Heiderich -- Mutation XSS](http://web.archive.org/web/20160507023636/https://www.hackinparis.com/talk-mario-heiderich) \
21 | [Timur Yunusov and Alexey Osipov -- XML Out of Band Data Retrieval](http://web.archive.org/web/20160507023636/https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf) \
22 | [Carlos Munoz -- Bypassing Internet Explorer's Anti-XSS Filter](http://web.archive.org/web/20160507023636/https://www.whitehatsec.com/blog/internet-explorer-xss-filter) \
23 | [Zach Cutlip -- Remote Code Execution in Netgear routers](http://web.archive.org/web/20160507023636/http://threatpost.com/some-netgear-routers-open-to-remote-authentication-bypass-command-injection/102689) \
24 | [Cody Collier -- Exposing Verizon Wireless SMS History](http://web.archive.org/web/20160507023636/http://www.tripwire.com/state-of-security/top-security-stories/verizon-wirelesss-customer-portal-exposed-text-messages/) \
25 | [Compromising an unreachable Solr Serve](http://web.archive.org/web/20160507023636/http://www.agarri.fr/blog/) \
26 | [Finding Weak Rails Security Tokens](http://web.archive.org/web/20160507023636/http://averagesecurityguy.info/2013/11/08/finding-weak-rails-security-tokens/) \
27 | [Ashar Javad Attack against Facebook's password reset process.](http://web.archive.org/web/20160507023636/http://slid.es/mscasharjaved/trusted-friend-attack) \
28 | [Father/Daughter Team Finds Valuable Facebook Bug](http://web.archive.org/web/20160507023636/http://threatpost.com/father-daughter-hacking-team-finds-valuable-facebook-bug/102877) \
29 | [Hacker scans the internet](http://web.archive.org/web/20160507023636/http://arstechnica.com/security/2013/03/guerilla-researcher-created-epic-botnet-to-scan-billions-of-ip-addresses/) \
30 | [Eradicating DNS Rebinding with the Extended Same-Origin Policy](http://web.archive.org/web/20160507023636/http://ben-stock.de/wp-content/uploads/dns-rebinding.pdf) \
31 | [Large Scale Detection of DOM based XSS](http://web.archive.org/web/20160507023636/http://ben-stock.de/wp-content/uploads/domxss.pdf) \
32 | [Struts 2 OGNL Double Evaluation RCE](http://web.archive.org/web/20160507023636/https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection) \
33 | [Lucky 13 Attack](http://web.archive.org/web/20160507023636/http://www.isg.rhul.ac.uk/tls/Luckyhtml) \
34 | [Weaknesses in RC4](http://web.archive.org/web/20160507023636/http://www.isg.rhul.ac.uk/tls/)
35 | 


--------------------------------------------------------------------------------
/2014.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2014
 2 | 
 3 | [Heartbleed](https://web.archive.org/web/20160403035045/http://heartbleed.com/)
 4 | 
 5 | [TweetDeck XSS](https://web.archive.org/web/20160403035045/http://threatpost.com/tweetdeck-taken-down-in-wake-of-xss-attacks)
 6 | 
 7 | [OpenSSL CVE-2014-0224](https://web.archive.org/web/20160403035045/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224)
 8 | 
 9 | [Rosetta Flash](https://web.archive.org/web/20160403035045/http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)
10 | 
11 | [Unauthenticated Backup and Password Disclosure In HandsomeWeb SOS Webpages cve-2014-3445](https://web.archive.org/web/20160403035045/https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-3445/)
12 | 
13 | [CTA: The weaknesses in client side xss filtering targeting Chrome's XSS Auditor](https://web.archive.org/web/20160403035045/https://www.blackhat.com/us-14/briefings.html#call-to-arms-a-tale-of-the-weaknesses-of-current-client-side-xss-filtering)
14 | 
15 | [Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512](https://web.archive.org/web/20160403035045/http://www.vupen.com/blog/20140520.Advanced_Exploitation_Firefox_UaF_Pwn2Own_2014.php)
16 | 
17 | [Facebook hosted DDOS with notes app](https://web.archive.org/web/20160403035045/http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/)
18 | 
19 | [The Web Never Forgets: Persistent Tracking Mechanisms in the Wild](https://web.archive.org/web/20160403035045/https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf)
20 | 
21 | [Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)](https://web.archive.org/web/20160403035045/http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html)
22 | 
23 | [The PayPal 2FA Bypass](https://web.archive.org/web/20160403035045/https://www.duosecurity.com/blog/the-paypal-2fa-bypass-how-legacy-infrastructure-impacts-modern-security)
24 | 
25 | [AIR Flash RCE from PWN2OWN](https://web.archive.org/web/20160403035045/http://threatpost.com/adobe-patches-air-pwn2own-vulnerability-in-flash/105359)
26 | 
27 | [PXSS on long length videos to DOS](https://web.archive.org/web/20160403035045/http://threatpost.com/researchers-uncover-interesting-browser-based-botnet/105250)
28 | 
29 | [MSIE Flash 0day targeting french aerospace](https://web.archive.org/web/20160403035045/http://community.websense.com/blogs/securitylabs/archive/2014/02/14/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx)
30 | 
31 | [Linskys E420 Authentication Bypass Disclosure](https://web.archive.org/web/20160403035045/https://phra.gs/blob/2014-06-04-linksys-e4200-auth-bypass.html)
32 | 
33 | [Paypal Manager Account Hijack](https://web.archive.org/web/20160403035045/https://docs.google.com/viewer?url=http%3A%2F%2Fwww.securatary.com%2FPortals%2F0%2FVulnerabilities%2FPayPal%2FPaypal%2520Manager%2520Account%2520Hijack.pdf)
34 | 
35 | [Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID](https://web.archive.org/web/20160403035045/http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html)
36 | 
37 | [How I hacked Instagram to see your private photos](https://web.archive.org/web/20160403035045/http://insertco.in/2014/02/10/how-i-hacked-instagram/)
38 | 
39 | [How I hacked GitHub again](https://web.archive.org/web/20160403035045/http://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html?m=1)
40 | 
41 | [ShellShock](https://web.archive.org/web/20160403035045/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271)
42 | 
43 | [Poodle](https://web.archive.org/web/20160403035045/https://www.openssl.org/~bodo/ssl-poodle.pdf)
44 | 
45 | [Residential Gateway "Misfortune Cookie"](https://web.archive.org/web/20160403035045/http://threatpost.com/12-million-home-routers-vulnerable-to-takeover/109970)
46 | 
47 | [Recursive DNS Resolver (DOS)](https://web.archive.org/web/20160403035045/http://www.kb.cert.org/vuls/id/264212)
48 | 
49 | [Belkin Buffer Overflow via Web](https://web.archive.org/web/20160403035045/https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/)
50 | 
51 | [Google User De-Anonymization](https://web.archive.org/web/20160403035045/http://threatpost.com/new-timing-attack-could-de-anonymize-google-users/108141)
52 | 
53 | [Soaksoak WordPress Malware](https://web.archive.org/web/20160403035045/http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html)
54 | 
55 | [Hacking PayPal Accounts with 1 Click](https://web.archive.org/web/20160403035045/http://yasserali.com/hacking-paypal-accounts-with-one-click/)
56 | 
57 | [Same Origin Bypass in Adobe Reader CVE-2014-8453](https://web.archive.org/web/20160403035045/http://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.html)
58 | 
59 | [RevSlider](https://web.archive.org/web/20160403035045/http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html)
60 | 
61 | [HikaShop Object Injection](https://web.archive.org/web/20160403035045/http://blog.sucuri.net/2014/11/deep-dive-into-the-hikashop-vulnerability.html)
62 | 
63 | [Covert Timing Channels based on HTTP Cache Headers](https://web.archive.org/web/20160403035045/http://www.slideshare.net/dnkolegov/wh102014)
64 | 
65 | [NODE.JS CONNECT CSRF BYPASS ABUSING METHODOVERRIDE MIDDLEWARE](https://web.archive.org/web/20160403035045/http://blog.nibblesec.org/2014/05/nodejs-connect-csrf-bypass-abusing.html)
66 | 
67 | [Bypassing NoCAPTHCA](https://web.archive.org/web/20160403035045/http://homakov.blogspot.com/2014/12/the-no-captcha-problem.html)
68 | 
69 | [Delta Boarding Pass Spoofing](https://web.archive.org/web/20160403035045/https://medium.com/@da/need-a-last-minute-flight-45af88ec8df3)
70 | 
71 | [Cryptophp Backdoor](https://web.archive.org/web/20160403035045/http://thehackernews.com/2014/11/cryptophp-backdoored-cms-plugins-themes.html)
72 | 
73 | [Microsoft SChannel Vulnerability](https://web.archive.org/web/20160403035045/https://www.us-cert.gov/ncas/alerts/TA14-318A)
74 | 
75 | [Google Two-Factor Authentication Bypass](https://web.archive.org/web/20160403035045/http://gizmodo.com/how-hackers-reportedly-side-stepped-gmails-two-factor-a-1653631338)
76 | 
77 | [Drupal 7 Core SQLi](https://web.archive.org/web/20160403035045/https://www.drupal.org/SA-CORE-2014-005)
78 | 
79 | [Apache Struts ClassLoader Manipulation Remote Code Execution](https://web.archive.org/web/20160403035045/https://cwiki.apache.org/confluence/display/WW/S2-020) and [Blog Post](https://web.archive.org/web/20160403035045/http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader)
80 | 
81 | [Reflected File Download](https://web.archive.org/web/20160403035045/http://blog.spiderlabs.com/2014/10/reflected-file-download-the-white-paper.html)
82 | 
83 | [Misfortune Cookie -- TR-069 ACS Vulnerabilities in residential gateway routers](https://web.archive.org/web/20160403035045/http://mis.fortunecook.ie/)
84 | 
85 | [Hostile Subdomain Takeover using Heroku/Github/Desk + more](https://web.archive.org/web/20160403035045/http://blog.detectify.com/post/100600514143/hostile-subdomain-takeover-usin): [Example 1](https://web.archive.org/web/20160403035045/https://github.com/cryptocat/cryptocat/issues/690) and [Example 2](https://web.archive.org/web/20160403035045/https://hackerone.com/reports/32825)
86 | 
87 | [File Name Enumeration in Rails](https://web.archive.org/web/20160403035045/https://hackerone.com/reports/33935)
88 | 
89 | [FlashFlood](https://web.archive.org/web/20160403035045/https://www.whitehatsec.com/blog/hackerkast-13-bonus-round/)
90 | 
91 | [Canadian Beacon](https://web.archive.org/web/20160403035045/https://www.whitehatsec.com/blog/hackerkast-14-bonus-round/)
92 | 
93 | [setTimeout Clickjacking](https://web.archive.org/web/20160403035045/https://www.whitehatsec.com/blog/hackerkast-11-bonus-round/)
94 | 


--------------------------------------------------------------------------------
/2015.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2015
 2 | 
 3 | [LogJam](https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html)
 4 | 
 5 | [Abusing XSLT for Practical Attacks](https://www.youtube.com/watch?v=bUcd-yibTCE)
 6 | 
 7 | [Java Deserialization w/ Apache Commons Collections in WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#thevulnerability)
 8 | 
 9 | [Breaking HTTPS with BGP Hijacking](https://www.youtube.com/watch?v=yEjPIagrB0M)
10 | 
11 | [Pawn Storm (CVE-2015-7645)](http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/)
12 | 
13 | [Superfish SSL MitM](http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/)
14 | 
15 | [Bypass Surgery](https://www.youtube.com/watch?v=ekUQIVUzDX4)
16 | 
17 | [Abusing CDNs with SSRF Flash and DNS](https://www.youtube.com/watch?v=ekUQIVUzDX4)
18 | 
19 | [Google Drive SSO Phishing](http://www.darkreading.com/cloud/new-phishing-campaign-leverages-googl%20e-drive-/d/d-id/1321485)
20 | 
21 | [Dom Flow](https://www.youtube.com/watch?v=kedmtrIEW1k)
22 | 
23 | [Untangling The DOM For More Easy-Juicy Bugs](https://www.youtube.com/watch?v=kedmtrIEW1k)
24 | 
25 | [Password mining from AWS/Parse Tokens](http://www.darkreading.com/application-security/web-app-developers-putting-millions-at-risk/d/d-id/1320720)
26 | 
27 | [St. Louis Federal Reserve DNS Redirect](http://krebsonsecurity.com/2015/05/st-louis-federal-reserve-suffers-dns-breach/)
28 | 
29 | [Exploiting XXE in File Upload Functionality](https://www.youtube.com/watch?v=ouBwRZJHmmo)
30 | 
31 | [Expansions on FREAK attack](http://www.darkreading.com/scope-of-freak-flaw-widens-as-microsoft-says-windows-affected-too/d/d-id/1319380)
32 | 
33 | [eDellRoot](http://krebsonsecurity.com/2015/11/security-bug-in-dell-pcs-shipped-since-815/#more-33044)
34 | 
35 | [WordPress Core RCE](http://blog.checkpoint.com/2015/08/04/wordpress-vulnerabilities-1/)
36 | 
37 | [FileCry](https://www.youtube.com/watch?v=YBu0ZB9xIgw)
38 | 
39 | [The New Age of XXE](https://www.youtube.com/watch?v=YBu0ZB9xIgw)
40 | 
41 | [Server-Side Template Injection: RCE for the Modern Web App](https://www.youtube.com/watch?v=T7_DX9lSjlk)
42 | 
43 | [IE11 RCE](http://www.securityweek.com/microsoft-issues-emergency-patch-critical-ie-flaw-exploited-wild)
44 | 
45 | [Understanding and Managing Entropy Usage](https://www.youtube.com/watch?v=X8Scc2nmSh8)
46 | 
47 | [Attack Surface for Project Spartan's EdgeHTML Rendering Engine](https://www.blackhat.com/docs/us-15/materials/us-15-Yason-Understanding-The-Attack-Surface-And-Attack-Resilience-Of-Project-Spartans-New-EdgeHTML-Rendering-Engine-wp.pdf)
48 | 
49 | [Web Timing Attacks Made Practical](https://www.youtube.com/watch?v=KirTCSAvt9M)
50 | 
51 | [Winning the Online Banking War](https://www.youtube.com/watch?v=7y3K83sOnG8)
52 | 
53 | [CNNINC SSL MitM](https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/)
54 | 
55 | [New Methods in Automated XSS Detection: Dynamic XSS Testing Without Using Static Payloads](https://www.youtube.com/watch?v=G539NwvpL3I&list=PLpr-xdpM8wG93dG_L9QKs0W1cD-esQEzU&index=23) [Practical Timing Attacks using Mathematical Amplification of Time Difference in == Operator](https://appsecusa2015.sched.org/speaker/mostafa_siraj.1tssijvd)
56 | 
57 | [The old is new, again. CVE20112461 is back!](https://www.youtube.com/watch?v=ZW2TVOPAbTE)
58 | 
59 | [illusoryTLS](http://www.illusorytls.com/)
60 | 
61 | [Hunting ASynchronous Vulnerabilities](https://vimeo.com/ondemand/44conlondon2015/142249673)
62 | 
63 | [New Evasions for Web Application Firewalls](https://mazinahmed.net/uploads/Evading%20All%20Web-Application%20Firewalls%20XSS%20Filters.pdf)
64 | 
65 | Magic Hashes
66 | 
67 | Formaction Scriptless attack updates
68 | 
69 | [The Unexpected Dangers of Dynamic JavaScript](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lekies.pdf)
70 | 
71 | [Who Are You? A Statistical Approach to Protecting LinkedIn Logins(CSS UI Redressing Issue)](https://security.linkedin.com/blog-archive#11232015)
72 | 
73 | [Evading All Web Application filters](http://blog.mazinahmed.net/2015/09/evading-all-web-application-firewalls.html)
74 | 
75 | [Multiple Facebook Messenger CSRF's](http://blog.mazinahmed.net/2015/06/facebook-messenger-multiple-csrf.html)
76 | 
77 | [Relative Path Overwrite](http://www.thespanner.co.uk/2014/03/21/rpo/)
78 | 
79 | [SMTP Injection via Recipient Email Address](http://www.mbsd.jp/Whitepaper/smtpi.pdf)
80 | 
81 | [Serverside Template Injection](http://blog.portswigger.net/2015/08/server-side-template-injection.html)
82 | 
83 | [Hunting Asynchronous Vulnerabilities](http://blog.portswigger.net/2015/09/hunting-asynchronous-vulnerabilities.html)
84 | 


--------------------------------------------------------------------------------
/2016-17.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2016/17
 2 | 
 3 | why two years? see https://portswigger.net/research/top-10-web-hacking-techniques-of-2017-nominations-open 
 4 | 
 5 | [How I hacked hundreds of companies through their helpdesk](https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c)\
 6 | [Web Cache Deception Attack](https://omergil.blogspot.com/2017/02/web-cache-deception-attack.html)\
 7 | [GitHubs post-CSP journey](https://githubengineering.com/githubs-post-csp-journey/)\
 8 | [Request encoding to bypass web application firewalls](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/request-encoding-to-bypass-web-application-firewalls/)\
 9 | [Binary Webshell Through OPcache in PHP 7](https://gosecure.net/2016/04/27/binary-webshell-through-opcache-in-php-7/)\
10 | [A deep dive into AWS S3 access controls taking full control over your assets](https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/)\
11 | [CVE-2018-5175: Universal CSP strict-dynamic bypass in Firefox](https://mksben.l0.cm/2018/05/cve-2018-5175-firefox-csp-strict-dynamic-bypass.html)\
12 | [HaXmas: The True Meaning(s) of Metasploit](https://blog.rapid7.com/2017/12/25/haxmas-the-true-meaning-s-of-metasploit/)\
13 | [The Good, The Bad and The Ugly of Safari in Client-Side Attacks](https://lab.wallarm.com/the-good-the-bad-and-the-ugly-of-safari-in-client-side-attacks-56d0cb61275a)\
14 | [Modern Alchemy: Turning XSS into RCE](https://blog.doyensec.com/2017/08/03/electron-framework-security.html)\
15 | [My Sweet Innocence Exposed - Eleven Reasons why we will all miss you, e](https://youtu.be/aeevfVXPIqo)\
16 | [Dont Trust The DOM: Bypassing XSS Mitigations Via Script Gadgets](https://youtu.be/p07acPBi-qw)\
17 | [From Markdown to RCE in Atom](https://web.archive.org/web/20181124230850/https://statuscode.ch/2017/11/from-markdown-to-rce-in-atom/)\
18 | [The Absurdly Underestimated Dangers of CSV Injection](http://georgemauer.net/2017/10/07/csv-injection.html)\
19 | [Rare ASP.NET request validation bypass using request encoding](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/rare-aspnet-request-validation-bypass-using-request-encoding/)\
20 | [Password Not Provided - Compromising Any Flurry Users Account](https://lightningsecurity.io/blog/password-not-provided/)\
21 | [$10k host header](https://sites.google.com/site/testsitehacking/10k-host-header)\
22 | [The .io Error - Taking Control of All .io Domains With a Targeted Registration](https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/index.html)\
23 | [Pivoting from blind SSRF to RCE with HashiCorp Consul](http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html)\
24 | [Exploiting the unexploitable with lesser known browser tricks](https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks)\
25 | [Why CSP Should be carefully crafted: Twitter XSS CSP Bypass ](http://www.paulosyibelo.com/2017/05/twitter-xss-csp-bypass.html)\
26 | [Text/Plain Considered Harmful](https://web.archive.org/web/20180808171731/https://jankopecky.net/index.php/2017/04/18/0day-textplain-considered-harmful/)\
27 | [Autobinding vulns and Spring MVC](https://agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.html)\
28 | [Stealing Messenger.com Login Nonces](https://stephensclafani.com/2017/03/21/stealing-messenger-com-login-nonces/)\
29 | [Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token](https://labs.detectify.com/2017/02/28/hacking-slack-using-postmessage-and-websocket-reconnect-to-steal-your-precious-token/)\
30 | [1139 - cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory](https://bugs.chromium.org/p/project-zero/issues/detail?id=1139)\
31 | [The Attack of the Alerts and the Zombie Script (IE)](https://www.brokenbrowser.com/zombie-alert/)\
32 | [Shopware 5.3.3: PHP Object Instantiation to Blind XXE](https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/)\
33 | [Assorted WordPress DB prepare exploits](https://twitter.com/mslavco/status/1019332176846950400)\
34 | [A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf)\
35 | [Cure53 Browser Security Whitepaper](https://github.com/cure53/browser-sec-whitepaper/blob/master/browser-security-whitepaper.pdf)\
36 | [Friday-The-13th-JSON-Attacks-wp.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)\
37 | [X41 Browser Security Whitepaper](https://github.com/x41sec/browser-security-whitepaper-2017/blob/master/X41-Browser-Security-White-Paper.pdf)\
38 | [How I used google dorks to find 0-days](https://www.linkedin.com/pulse/how-i-used-google-dorks-find-0-days-suraj-khetani/)\
39 | [MITM Attacks on HTTPS: Another Perspective](https://www.slideshare.net/GreenD0g/mitm-attacks-on-https-another-perspective/)\
40 | [Google Maps XSS (by fiddling with Protobuf)](https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff)\
41 | [Advanced Flash Vulnerabilities](https://opnsec.com/category/flash/)
42 | 


--------------------------------------------------------------------------------
/2018.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2018
 2 | 
 3 | [How I exploited ACME TLS-SNI-01 issuing Let's Encrypt SSL-certs for any domain using shared hosting](https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/) \
 4 | [Kicking the Rims - A Guide for Securely Writing and Auditing Chrome Extensions | The Hacker Blog](https://thehackerblog.com/kicking-the-rims-a-guide-for-securely-writing-and-auditing-chrome-extensions/) \
 5 | [EdOverflow | An analysis of logic flaws in web-of-trust services.](https://edoverflow.com/2018/logic-flaws-in-wot-services/) \
 6 | [OWASP AppSecEU 2018 -- Attacking "Modern" Web Technologies](https://www.slideshare.net/fransrosen/attacking-modern-web-technologies?from_action=save) \
 7 | [PowerPoint Presentation - OWASP_AppSec_EU18_WordPress.pdf](https://files.ripstech.com/slides/OWASP_AppSec_EU18_WordPress.pdf) \
 8 | [Scratching the surface of host headers in Safari](https://labs.detectify.com/2018/04/04/host-headers-safari/) \
 9 | [RCE by uploading a web.config -- 003Random's Blog](https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/) \
10 | [Security: HTTP Smuggling, Apsis Pound load balancer | RBleug](https://regilero.github.io/security/english/2018/07/03/security_pound_http_smuggling/) \
11 | [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a) \
12 | [inputzero: A bug that affects million users - Kaspersky VPN | Dhiraj Mishra](https://www.inputzero.io/2018/08/kaspersky-vpn-leaks-dns-address.html) \
13 | [inputzero: Telegram anonymity fails in desktop - CVE-2018-17780 | Dhiraj Mishra](https://www.inputzero.io/2018/09/bug-bounty-telegram-cve-2018-17780.html) \
14 | [inputzero: An untold story of skype by microsoft | Dhiraj Mishra](https://www.inputzero.io/2018/09/buggy-skype.html) \
15 | [Neatly bypassing CSP -- Wallarm](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa) \
16 | [Large-Scale Analysis of Style Injection by Relative Path Overwrite - www2018rpo_paper.pdf](https://sajjadium.github.io/files/www2018rpo_paper.pdf) \
17 | [Beyond XSS: Edge Side Include Injection :: GoSecure](https://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/) \
18 | [GitHub - HoLyVieR/prototype-pollution-nsec18: Content released at NorthSec 2018 for my talk on prototype pollution](https://github.com/HoLyVieR/prototype-pollution-nsec18) \
19 | [Logically Bypassing Browser Security Boundaries - Speaker Deck](https://speakerdeck.com/shhnjk/logically-bypassing-browser-security-boundaries) \
20 | [Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out](https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf) \
21 | [Web Cache Deception Attack - YouTube](https://www.youtube.com/watch?v=mroq9eHFOIU) \
22 | [Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | Duo Security](https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations) \
23 | [#307670 Difference in query string parameter processing between Hacker News and Keybase Chrome extension spawns chat to incorrect user](https://hackerone.com/reports/307670) \
24 | [lanmaster53.com](https://www.lanmaster53.com/2018/03/15/report-spam-get-owned/) \
25 | [Beyond XSS: Edge Side Include Injection :: GoSecure](https://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/) \
26 | [Scratching the surface of host headers in Safari](https://labs.detectify.com/2018/04/04/host-headers-safari/) \
27 | [#309531 Stored XSS in Snapmatic + R★Editor comments](https://hackerone.com/reports/309531) \
28 | [InsertScript: Adobe Reader PDF - Client Side Request Injection](https://insert-script.blogspot.com/2018/05/adobe-reader-pdf-client-side-request.html) \
29 | [$36k Google App Engine RCE - Ezequiel Pereira](https://sites.google.com/site/testsitehacking/-36k-google-app-engine-rce) \
30 | [MKSB(en): CVE-2018-5175: Universal CSP strict-dynamic bypass in Firefox](https://mksben.l0.cm/2018/05/cve-2018-5175-firefox-csp-strict-dynamic-bypass.html) \
31 | [#341876 SSRF in Exchange leads to ROOT access in all instances](https://hackerone.com/reports/341876) \
32 | [reCAPTCHA bypass via HTTP Parameter Pollution -- Andres Riancho](https://andresriancho.com/recaptcha-bypass-via-http-parameter-pollution/) \
33 | [Data Exfiltration via Formula Injection #Part1](https://www.notsosecure.com/data-exfiltration-formula-injection/) \
34 | [Read&Write Chrome Extension Same Origin Policy (SOP) Bypass Vulnerability | The Hacker Blog](https://thehackerblog.com/reading-your-emails-with-a-readwrite-chrome-extension-same-origin-policy-bypass-8-million-users-affected/index.html) \
35 | [Firefox uXSS and CSS XSS - Abdulrahman Al-Qabandi](https://leucosite.com/Firefox-uXSS-and-CSS-XSS/) \
36 | [Server-Side Spreadsheet Injection - Formula Injection to Remote Code Execution - Bishop Fox](https://www.bishopfox.com/blog/2018/06/server-side-spreadsheet-injections/) \
37 | [Bypassing Web-Application Firewalls by abusing SSL/TLS | 0x09AL Security blog](https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html) \
38 | [Evading CSP with DOM-based dangling markup | Blog](https://portswigger.net/blog/evading-csp-with-dom-based-dangling-markup) \
39 | [Save Your Cloud: DoS on VMs in OpenNebula 4.6.1](https://web-in-security.blogspot.com/2018/07/save-your-cloud-dos-on-vms-in.html) \
40 | [CRLF Injection Into PHP's cURL Options -- TomNomNom -- Medium](https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545) \
41 | [Practical Web Cache Poisoning | Blog](https://portswigger.net/blog/practical-web-cache-poisoning) \
42 | [#317476 Account Takeover in Periscope TV](https://hackerone.com/reports/317476) \
43 | [A timing attack with CSS selectors and Javascript](https://blog.sheddow.xyz/css-timing-attack/) \
44 | [VPN Extensions are not for privacy](https://blog.innerht.ml/vpn-extensions-are-not-for-privacy/) \
45 | [Exposing Intranets with reliable Browser-based Port scanning | Blog](https://portswigger.net/blog/exposing-intranets-with-reliable-browser-based-port-scanning) \
46 | [Exploiting XXE with local DTD files](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/) \
47 | [A story of the passive aggressive sysadmin of AEM - Speaker Deck](https://speakerdeck.com/fransrosen/a-story-of-the-passive-aggressive-sysadmin-of-aem) \
48 | [Hunting for security bugs in AEM webapps - Speaker Deck](https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps) \
49 | [ASP.NET resource files (.RESX) and deserialisation issues](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/) \
50 | [Story of my two (but actually three) RCEs in SharePoint in 2018 | Soroush Dalili (@irsdl) -- سروش دلیلی](https://soroush.secproject.com/blog/2018/12/story-of-two-published-rces-in-sharepoint-workflows/) \
51 | [Beware of Deserialisation in .NET Methods and Classes + Code Execution via Paste!](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/december/beware-of-deserialisation-in-.net-methods-and-classes-code-execution-via-paste/) \
52 | [cat ~/footstep.ninja/blog.txt](https://footstep.ninja/posts/password-reset/) \
53 | [Blog - RCE due to ShowExceptions](https://blog.harshjaiswal.com/rce-due-to-showexceptions) \
54 | [MB blog: Vulnerability in Hangouts Chat: from open redirect to code execution](https://blog.bentkowski.info/2018/07/vulnerability-in-hangouts-chat-aka-how.html) \
55 | [Blog on Gopherus Tool](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/) \
56 | [DNS Rebinding Headless Browsers](https://labs.mwrinfosecurity.com/blog/from-http-referer-to-aws-security-credentials/)
57 | 


--------------------------------------------------------------------------------
/2019.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2019
 2 | 
 3 | [Cached and Confused: Web Cache Deception in the Wild](https://sajjadium.github.io/files/usenixsec2020wcd_paper.pdf) \
 4 | [Facebook Messenger server random memory exposure through corrupted GIF](https://www.vulnano.com/2019/03/facebook-messenger-server-random-memory.html) \
 5 | [Exploring Continuous Integration Services as a Bug Bounty Hunter](https://edoverflow.com/2019/ci-knew-there-would-be-bugs-here/) \
 6 | [Cross-Site Leaks](https://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html) \
 7 | [HTTP Desync Attacks: Request Smuggling Reborn](https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn) \
 8 | [Let's Make Windows Defender Angry: Antivirus can be an oracle!](https://speakerdeck.com/icchy/lets-make-windows-defender-angry-antivirus-can-be-an-oracle) \
 9 | [At Home Among Strangers](https://speakerdeck.com/bo0om/at-home-among-strangers?slide=9) \
10 | [Exploiting padding oracles with fixed IVs](https://blog.teddykatz.com/2019/11/23/json-padding-oracles.html) \
11 | [XSS in GMail's AMP4Email via DOM Clobbering](https://research.securitum.com/xss-in-amp4email-dom-clobbering/) \
12 | [Abusing HTTP hop-by-hop request headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers) \
13 | [Unveiling vulnerabilities in WebSocket APIs](https://speakerdeck.com/0ang3el/whats-wrong-with-websocket-apis-unveiling-vulnerabilities-in-websocket-apis) \
14 | [CPDoS: Cache Poisoned Denial of Service](https://cpdos.org/) \
15 | [Security analysis of portal element](https://research.securitum.com/security-analysis-of-portal-element/) \
16 | [Owning The Clout Through Server Side Request Forgery](https://www.youtube.com/watch?v=o-tL9ULF0KI) \
17 | [Microsoft Edge (Chromium) - Elevation of Privilege to Potential RCE](https://leucosite.com/Edge-Chromium-EoP-RCE/) \
18 | [Abusing autoresponders and email bounces](https://medium.com/intigriti/abusing-autoresponders-and-email-bounces-9b1995eb53c2) \
19 | [Infiltrating Corporate Intranet Like NSA: Pre-Auth RCE On Leading SSL VPNs](https://www.youtube.com/watch?v=1IoythC_pIY) \
20 | [ESI Injection Part 2: Abusing specific implementations](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations) \
21 | [A Tale of Exploitation in Spreadsheet File Conversions](https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/) \
22 | [Reusing Cookies](https://medium.com/@ricardoiramar/reusing-cookies-23ed4691122b) \
23 | [SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP](https://www.silentrobots.com/blog/2019/02/06/ssrf-protocol-smuggling-in-plaintext-credential-handlers-ldap/) \
24 | [Exploiting prototype pollution - RCE in Kibana](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/) \
25 | [Exploiting SSRF in AWS Elastic Beanstalk](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/) \
26 | [Don't open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, ...](https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/) \
27 | [Finding and Exploiting .NET Remoting over HTTP using Deserialisation](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-deserialisation/) \
28 | [Getting Shell with XAMLX Files](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/august/getting-shell-with-xamlx-files/) \
29 | [Common Security Issues in Financially-Oriented Web Applications](https://www.nccgroup.trust/uk/our-research/common-security-issues-in-financially-orientated-web-applications/) \
30 | [IIS Application vs. Folder Detection During Blackbox Testing](https://soroush.secproject.com/blog/2019/07/iis-application-vs-folder-detection-during-blackbox-testing/) \
31 | [Exploiting Deserialisation in ASP.NET via ViewState](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) \
32 | [The Cookie Monster in Your Browsers](https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers) \
33 | [DOMPurify 2.0.0 bypass using mutation XSS](https://research.securitum.com/dompurify-bypass-using-mxss/) \
34 | [XSS-Auditor --- the protector of unprotected and the deceiver of protected](https://medium.com/@terjanq/xss-auditor-the-protector-of-unprotected-f900a5e15b7b) \
35 | [Get pwned by scanning QR Code](https://payatu.com/blog/nikhil-mittal/firefox-ios-qr-code-reader-xss-(cve-2019-17003)) \
36 | [Remote Code Execution via Insecure Deserialization in Telerik UI](https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui) \
37 | [Exploiting Null Byte Buffer Overflow for a $40,000 bounty](https://samcurry.net/filling-in-the-blanks-exploiting-null-byte-buffer-overflow-for-a-40000-bounty/) \
38 | [The world of Site Isolation and compromised renderer](https://www.youtube.com/watch?v=ppW_soCb6wM) \
39 | [Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html) \
40 | [All is XSS that comes to the .NET](https://blog.isec.pl/all-is-xss-that-comes-to-the-net/) \
41 | [SSO Wars: The Token Menace](https://i.blackhat.com/USA-19/Wednesday/us-19-Munoz-SSO-Wars-The-Token-Menace-wp.pdf) \
42 | [HostSplit: Exploitable Antipatterns in Unicode Normalization](https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization-wp.pdf) \
43 | [Google Search XSS](https://www.youtube.com/watch?v=gVrdE6g_fa8) \
44 | [Backchannel Leaks on Strict Content-Security Policy](https://mazinahmed.net/blog/backchannel-leaks-on-strict-csp-policy/) \
45 | [Uploading web.config for Fun and Profit 2](https://soroush.secproject.com/blog/2019/08/uploading-web-config-for-fun-and-profit-2/) \
46 | [Exploiting Spring Boot Actuators](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators) \
47 | [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java) \
48 | [Apache Solr Injection Research](https://github.com/veracode-research/solr-injection) \
49 | [PHP-FPM RCE(CVE-2019-11043)](https://blog.orange.tw/2019/10/an-analysis-and-thought-about-recently.html) \
50 | [Bypassing SOP Using the Browser Cache](https://portswigger-labs.net/fmnt.php?x=acunetix.com/blog/web-security-zone/bypassing-sop-using-the-browser-cache/) \
51 | [Reverse proxies & Inconsistency](https://www.youtube.com/watch?v=ZfKuOdbQt2c) \
52 | [x-up-devcap-post-charset Header in ASP.NET to Bypass WAFs Again](https://soroush.secproject.com/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/)
53 | 


--------------------------------------------------------------------------------
/2020.md:
--------------------------------------------------------------------------------
 1 | # Web Hacking Techniques 2020
 2 | 
 3 | -   [Write-up for a Path Traversal on Gravitee.io](https://medium.com/@maxime.escourbiac/write-up-of-path-traversal-on-gravitee-io-8835941be69f)
 4 | -   [Fastjson: exceptional deserialization vulnerabilities](https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html)
 5 | -   [Room for Escape: Scribbling Outside the Lines of Template Security](https://i.blackhat.com/USA-20/Wednesday/us-20-Munoz-Room-For-Escape-Scribbling-Outside-The-Lines-Of-Template-Security-wp.pdf)
 6 | -   [Web Cache Entanglement: Novel Pathways to Poisoning](https://portswigger.net/research/web-cache-entanglement)
 7 | -   [TLS-poison](https://github.com/jmdx/TLS-poison/)
 8 | -   [HTTP Request Smuggling in 2020](https://i.blackhat.com/USA-20/Wednesday/us-20-Klein-HTTP-Request-Smuggling-In-2020-New-Variants-New-Defenses-And-New-Challenges.pdf)
 9 | -   [h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)
10 | -   [Redefining Impossible: XSS without arbitrary JavaScript ](https://portswigger.net/research/redefining-impossible-xss-without-arbitrary-javascript)
11 | -   [The Curious Case of Copy & Paste - on risks of pasting arbitrary content in browsers](https://research.securitum.com/the-curious-case-of-copy-paste/)
12 | -   [Mutation XSS via namespace confusion - DOMPurify < 2.0.17 bypass](https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/)
13 | -   [Salesforce Lightning - An in-depth look at exploitation vectors for the everyday community](https://www.enumerated.de/index/salesforce)
14 | -   [Advanced MSSQL Injection Tricks](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
15 | -   [SD-PWN Part 2 --- Citrix SD-WAN Center](https://medium.com/realmodelabs/sd-pwn-part-2-citrix-sd-wan-center-another-network-takeover-a9c950a1a27c)
16 | -   [Portable Data exFiltration: XSS for PDFs ](https://portswigger.net/research/portable-data-exfiltration)
17 | -   [Blind SQL Injection without an "in"](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952)
18 | -   [Chaining Exposed Actuators and H2 Database Aliases in Spring Boot 2 ](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database)
19 | -   [Exploiting email address parsing with AWS SES](https://nathandavison.com/blog/exploiting-email-address-parsing-with-aws-ses)
20 | -   [Revisiting ReDoS: A Rough Idea of Data Exfiltration by ReDoS and Side-channel Techniques](https://speakerdeck.com/lmt_swallow/revisiting-redos-a-rough-idea-of-data-exfiltration-by-redos-and-side-channel-techniques)
21 | -   [Attacking Secondary Contexts in Web Applications](https://docs.google.com/presentation/d/1N9Ygrpg0Z-1GFDhLMiG3jJV6B_yGqBk8tuRWO1ZicV8/edit#slide=id.p)
22 | -   [Exploiting POST-based XSSI](https://blog.cm2.pw/exploiting-post-based-xssi/)
23 | -   [Uninitialized Memory Disclosures in Web Applications](https://blog.silentsignal.eu/2020/04/20/uninitialized-memory-disclosures-in-web-applications/)
24 | -   [Researching Polymorphic Images for XSS on Google Scholar](https://blog.doyensec.com/2020/04/30/polymorphic-images-for-xss.html)
25 | -   [Secret fragments: Remote code execution on Symfony based websites](https://www.ambionics.io/blog/symfony-secret-fragment)
26 | -   [The unexpected Google wide domain check bypass](https://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/)
27 | -   [Marginwidth/marginheight - the unexpected cross-origin communication channel](https://research.securitum.com/marginwidth-marginheight-the-unexpected-cross-origin-communication-channel/)
28 | -   [CSS data exfiltration in Firefox via a single injection point](https://research.securitum.com/css-data-exfiltration-in-firefox-via-single-injection-point/)
29 | -   [ImageMagick - Shell injection via PDF password](https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html)
30 | -   [Forcing Firefox to Execute XSS Payloads during 302 Redirects ](https://www.gremwell.com/firefox-xss-302)
31 | -   [TURN server allows TCP and UDP proxying to internal network](https://hackerone.com/reports/333419)
32 | -   [AST Injection, Prototype Pollution to RCE](https://blog.p6.is/AST-Injection/)
33 | -   [Bypass SameSite Cookies Default to Lax and get CSRF](https://medium.com/@renwa/bypass-samesite-cookies-default-to-lax-and-get-csrf-343ba09b9f2b)
34 | -   [Covert Web Shells in .NET with Read-Only Web Paths](https://www.mdsec.co.uk/2020/10/covert-web-shells-in-net-with-read-only-web-paths/)
35 | -   [A Security Review of SharePoint Site Pages](https://www.mdsec.co.uk/2020/03/a-security-review-of-sharepoint-site-pages/)
36 | -   [My hacking adventures with Safari reader mode](https://payatu.com/blog/nikhil-mittal/my-hacking-adventures-with-safari-reader-mode)
37 | -   [Code injection in Workflows leading to SharePoint RCE](https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/)
38 | -   [The Powerful HTTP Request Smuggling](https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142)
39 | -   [NAT Slipstreaming](https://samy.pl/slipstream/)
40 | -   [Smuggling HTTP headers through reverse proxies](https://github.security.telekom.com/2020/05/smuggling-http-headers-through-reverse-proxies.html)
41 | -   [XXE-scape through the front door: circumventing the firewall with HTTP request smuggling](https://honoki.net/2020/03/18/xxe-scape-through-the-front-door-circumventing-the-firewall-with-http-request-smuggling/)
42 | -   [Exploiting "Google BigQuery" SQL Injection Vulnerability](https://hackemall.live/index.php/2020/03/31/akamai-web-application-firewall-bypass-journey-exploiting-google-bigquery-sql-injection-vulnerability/)
43 | -   [WAF evasion techniques](https://blog.isec.pl/waf-evasion-techniques/)
44 | -   [Exploiting dynamic rendering engines to take control of web apps](https://r2c.dev/blog/2020/exploiting-dynamic-rendering-engines-to-take-control-of-web-apps/)
45 | -   [Unauthenticated RCE on MobileIron MDM](https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html)
46 | -   [Blind SSRF exploitation](https://lab.wallarm.com/blind-ssrf-exploitation/)
47 | -   [Story of a weird vulnerability I found on Facebook](https://medium.com/@amineaboud/story-of-a-weird-vulnerability-i-found-on-facebook-fc0875eb5125)
48 | -   [Weird Vulnerabilities Happening on Load Balancers, Shallow Copies and Caches](https://medium.com/dataseries/weird-vulnerabilities-happening-on-load-balancers-shallow-copies-and-caches-9194d4f72322)
49 | -   [Unauthorized Google Maps API Key Usage Cases](https://ozguralp.medium.com/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e)
50 | -   [XSS fun with animated SVG](https://blog.isec.pl/xss-fun-with-animated-svg/)
51 | -   [Exploiting HSQLDB](https://swarm.ptsecurity.com/rce-in-f5-big-ip/)
52 | -   [Real-life OIDC Security (II): Login Confusion](https://security.lauritz-holtmann.de/post/sso-security-login-confusion/)
53 | -   [Security and Privacy of Social Logins](https://www.nds.ruhr-uni-bochum.de/media/nds/arbeiten/2020/10/29/Masterarbeit_Louis_Jannett_Security_and_Privacy_of_Social_Logins.pdf)
54 | -   [Cache-Key Normalization | What could go wrong?](https://iustin24.github.io/Cache-Key-Normalization-Denial-of-Service/)
55 | -   [Hacking AWS Cognito Misconfigurations](https://notsosecure.com/hacking-aws-cognito-misconfigurations/)
56 | -   [Attacking MS Exchange Web Interfaces](https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/)
57 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # List of Top Ten Web Hacking Techniques (as seen on TV!)
 2 | 
 3 | This project includes all links (not just top 10) that were listed in Top 10 Web Hacking Techniques since its begininng. Collecting this list was started by Jeremiah Grossman (@jeremiahg) and continued by James Kettle (@albinowax).
 4 | 
 5 | As some of these links are really old, they might not be available anymore but https://web.archive.org/ can help.
 6 | 
 7 | # References
 8 | 
 9 | [2006](http://jeremiahgrossman.blogspot.com/2006/12/top-10-web-hacks-of-2006.html) \
10 | [2007](http://jeremiahgrossman.blogspot.com/2008/01/top-ten-web-hacks-of-2007-official.html) \
11 | [2008](http://jeremiahgrossman.blogspot.com/2009/02/top-ten-web-hacking-techniques-of-2008.html) \
12 | [2009](http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html) \
13 | [2010](http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html) \
14 | [2011](https://www.whitehatsec.com/blog/vote-now-top-ten-web-hacking-techniques-of-2011/) \
15 | [2012](https://www.whitehatsec.com/blog/top-ten-web-hacking-techniques-of-2012/) \
16 | [2013](https://www.whitehatsec.com/blog/top-10-web-hacking-techniques-2013) \
17 | [2014](https://www.whitehatsec.com/blog/top-10-web-hacking-techniques-of-2014/) \
18 | [2015](https://www.whitehatsec.com/blog/top-10-web-hacking-techniques-of-2015/) \
19 | [2016/17](https://portswigger.net/blog/top-10-web-hacking-techniques-of-2017) \
20 | [2018](https://portswigger.net/research/top-10-web-hacking-techniques-of-2018-nominations-open) \
21 | [2019](https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open) 
22 | [2020](https://portswigger.net/research/top-10-web-hacking-techniques-of-2020-nominations-open)
23 | 


--------------------------------------------------------------------------------