🤬
  • ■ ■ ■ ■ ■
    README.md
    skipped 3 lines
    4 4   
    5 5  There are a number of new hackers joining the community on a regular basis and more than often the first thing they ask is "How do I get started and what are some good resources?". As a hacker, there a ton of techniques, terminologies, and topics you need to familiarize yourself with to understand how an application works. Cody Brocious [(@daeken)](http://twitter.com/daeken), I put these resources together in order to help new hackers with resources to learn the basics of Web Application Security.
    6 6   
    7  -We understand that there are more resources other than the ones we have listed and we hope to cover more resources in the near future!
     7 +We understand that there are more resources other than the ones we have listed and we hope to cover more resources in the near future!<br>
     8 + 
     9 +[Changelog: See what's new!](/assets/changelog.md)
    8 10   
    9 11  ---
    10 12  ## Table of Contents
    skipped 10 lines
  • ■ ■ ■ ■ ■ ■
    assets/blogposts.md
    skipped 17 lines
    18 18  - [Automation](#Automation)
    19 19  - [Buffer Overflow](#Buffer-Overflow)
    20 20  - [IDOR](#IDOR)
     21 +- [GraphQL](#GraphQL)
    21 22  - [Misc](#Misc)
    22 23  ## XSS
    23 24  You can find a ton of awesome XSS reports by searching through the HackerOne Hacktivity Page (https://hackerone.com/hacktivity?querystring=XSS). Here are some more complex and some of my favorite XSS related blog posts:
    24 25   
    25  -- [XSS on Google Search - Sanitizing HTML in The Client?](https://www.youtube.com/watch?v=lG7U3fuNw3A) - by LiveOverflow
     26 +- [XSS on Google Search - Sanitizing HTML in The Client?](https://www.youtube.com/watch?v=lG7U3fuNw3A) - LiveOverflow
    26 27   - [The Fix](https://github.com/google/closure-library/commit/c79ab48e8e962fee57e68739c00e16b9934c0ffa)
    27  -- [Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program](https://samcurry.net/cracking-my-windshield-and-earning-10000-on-the-tesla-bug-bounty-program/) - by [Sam Curry](https://twitter.com/samwcyo)
    28  -- [Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty](https://medium.com/bugbountywriteup/effortlessly-finding-cross-site-script-inclusion-xssi-jsonp-for-bug-bounty-38ae0b9e5c8a) - by [@th3_hidd3n_mist](https://twitter.com/th3_hidd3n_mist)
    29  -- [Microsoft Edge (Chromium) - EoP via XSS to Potential RCE](https://leucosite.com/Edge-Chromium-EoP-RCE/) - by [@Qab](https://twitter.com/qab)
     28 +- [Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program](https://samcurry.net/cracking-my-windshield-and-earning-10000-on-the-tesla-bug-bounty-program/) - [Sam Curry](https://twitter.com/samwcyo)
     29 +- [Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty](https://medium.com/bugbountywriteup/effortlessly-finding-cross-site-script-inclusion-xssi-jsonp-for-bug-bounty-38ae0b9e5c8a) - [@th3_hidd3n_mist](https://twitter.com/th3_hidd3n_mist)
     30 +- [Microsoft Edge (Chromium) - EoP via XSS to Potential RCE](https://leucosite.com/Edge-Chromium-EoP-RCE/) - [@Qab](https://twitter.com/qab)
    30 31  ### DOM XSS
    31  -- https://hackerone.com/reports/297968
    32  -- https://hackerone.com/reports/168165
    33  -- https://www.rafaybaloch.com/2017/06/a-tale-of-dom-based-xss-in-paypal.html
     32 +- [Persistent DOM-based XSS in https://help.twitter.com via localStorage](https://hackerone.com/reports/297968) - harisec
     33 +- [DOM based XSS in search functionality](https://hackerone.com/reports/168165) - sameoldstory
     34 +- [A Tale Of A DOM Based XSS In Paypal](https://www.rafaybaloch.com/2017/06/a-tale-of-dom-based-xss-in-paypal.html) - Rafay Baloch
     35 +- [H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing](https://hackerone.com/reports/422043) - filedescriptor
    34 36  ### Stored XSS
    35  -- https://blog.bentkowski.info/2018/09/another-xss-in-google-colaboratory.html
    36  -- https://medium.com/@Alra3ees/google-adwords-3133-7-stored-xss-27bb083b8d27
    37  -- https://opnsec.com/2018/03/stored-xss-on-facebook/
    38  -- https://klikki.fi/adv/yahoo.html
    39  -- https://klikki.fi/adv/yahoo2.html
    40  -- https://hackerone.com/reports/422043
    41  -- https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss
     37 +- [Another XSS in Google Colaboratory](https://blog.bentkowski.info/2018/09/another-xss-in-google-colaboratory.html) - Michał Bentkowski
     38 +- [Google adwords 3133.7$ Stored XSS](https://medium.com/@Alra3ees/google-adwords-3133-7-stored-xss-27bb083b8d27) - Emad Shanab
     39 +- [Stored XSS on Facebook](https://opnsec.com/2018/03/stored-xss-on-facebook/) - Enguerran Gillier
     40 +- [Yahoo Mail stored XSS](https://klikki.fi/adv/yahoo.html) - Jouko Pynnönen
     41 +- [Yahoo Mail stored XSS #2](https://klikki.fi/adv/yahoo2.html) - Jouko Pynnönen
     42 +- [Account Recovery XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) - Gábor Molnár
    42 43  ### CSP Bypass
    43 44  - https://blog.bentkowski.info/2018/06/xss-in-google-colaboratory-csp-bypass.html
    44 45   
    45 46  ## SSRF
    46 47  - [DEF CON 27 Conference - Ben Sadeghipour - Owning The Clout Through Server Side Request Forgery](https://www.youtube.com/watch?v=o-tL9ULF0KI)<br>- Nahamsec & daeken | DEFCON 2019
    47 48  - [Piercing The Veil: Server Side Request Forgery Attacks On Internal Networks](https://peertube.opencloud.lu/videos/watch/40f39bfe-6d3c-40f5-bcab-43f20944ca6a)<br>- Alyssa Herrera | Hack.lu 2019
    48  -- [Vimeo upload function SSRF](https://medium.com/@dPhoeniixx/vimeo-upload-function-ssrf-7466d8630437) - by Sayed Abdelhafiz
     49 +- [Vimeo upload function SSRF](https://medium.com/@dPhoeniixx/vimeo-upload-function-ssrf-7466d8630437) - Sayed Abdelhafiz
    49 50   
    50 51   
    51 52  ## Vulnerability Scanning
    52  -- [NMAP For Vulnerability Discovery](https://www.peerlyst.com/posts/nmap-for-vulnerability-discovery-sachin-wagh) - by Sachin Wagh
     53 +- [NMAP For Vulnerability Discovery](https://www.peerlyst.com/posts/nmap-for-vulnerability-discovery-sachin-wagh) - Sachin Wagh
    53 54   
    54 55  ## Token / Authentication
    55  -- [Abusing feature to steal your tokens](https://medium.com/@rootxharsh_90844/abusing-feature-to-steal-your-tokens-f15f78cebf74) - by Harsh Jaiswal
    56  -- [How I was able to bypass OTP code requirement in Razer [The story of a critical bug]](https://medium.com/bugbountywriteup/how-i-was-able-to-bypass-otp-token-requirement-in-razer-the-story-of-a-critical-bug-fc63a94ad572?) - by Ananda Dhakal
    57  -- [Bypassing GitHub's OAuth flow](https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html) - by [@not_aardvark](https://twitter.com/not_aardvark)
     56 +- [Abusing feature to steal your tokens](https://medium.com/@rootxharsh_90844/abusing-feature-to-steal-your-tokens-f15f78cebf74) - Harsh Jaiswal
     57 +- [How I was able to bypass OTP code requirement in Razer [The story of a critical bug]](https://medium.com/bugbountywriteup/how-i-was-able-to-bypass-otp-token-requirement-in-razer-the-story-of-a-critical-bug-fc63a94ad572?) - Ananda Dhakal
     58 +- [Bypassing GitHub's OAuth flow](https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html) - [@not_aardvark](https://twitter.com/not_aardvark)
    58 59   
    59 60   
    60 61  ## SQL Injection
    61 62  - [Time-Based Blind SQL Injection In GraphQL](https://medium.com/bugbountywriteup/time-based-blind-sql-injection-in-graphql-39a25a1dfb3c) - Divyanshu Shukla
    62  -- [SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database](https://hackerone.com/reports/531051) - by spaceraccoon
     63 +- [SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database](https://hackerone.com/reports/531051) - spaceraccoon
     64 +- [Finding SQL injections fast with white-box analysis — a recent bug example](https://medium.com/@frycos/finding-sql-injections-fast-with-white-box-analysis-a-recent-bug-example-ca449bce6c76?) - [@frycos](https://twitter.com/frycos)
     65 +- [How we hacked one of the worlds largest Cryptocurrency Website](https://strynx.org/insecure-crypto-code-execution/) - [strynx](https://strynx.org/)
    63 66   
    64 67  ## Mobile
    65 68  ### iOS
    66  -- [From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13](https://spaceraccoon.dev/from-checkra1n-to-frida-ios-app-pentesting-quickstart-on-ios-13) - by spaceraccoon
     69 +- [From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13](https://spaceraccoon.dev/from-checkra1n-to-frida-ios-app-pentesting-quickstart-on-ios-13) - spaceraccoon
    67 70  ## Android
    68  -- [A deep dive into reversing Android pre-Installed apps](https://github.com/maddiestone/ConPresentations/blob/master/Blackhat2019.SecuringTheSystem.pdf) and the [BlackHat Talk](https://www.youtube.com/watch?v=U6qTcpCfuFc) - by Maddie Stone
     71 +- [A deep dive into reversing Android pre-Installed apps](https://github.com/maddiestone/ConPresentations/blob/master/Blackhat2019.SecuringTheSystem.pdf) and the [BlackHat Talk](https://www.youtube.com/watch?v=U6qTcpCfuFc) - Maddie Stone
    69 72   
    70 73  ## HTTP Desync
    71  -- [HTTP Desync Attacks: Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn) in combination with this [report](https://hackerone.com/reports/510152) - by [James Kettle](https://twitter.com/albinowax)
    72  -- [HTTP Request Smuggling on vpn.lob.com](https://hackerone.com/reports/694604) - by 0X0 (painreigns)
     74 +- [HTTP Desync Attacks: Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn) in combination with this [report](https://hackerone.com/reports/510152) - [James Kettle](https://twitter.com/albinowax)
     75 +- [HTTP Request Smuggling on vpn.lob.com](https://hackerone.com/reports/694604) - 0X0 (painreigns)
    73 76   
    74 77  ## File Upload
    75  -- [Webshell via File Upload on ecjobs.starbucks.com.cn](https://hackerone.com/reports/506646) - by johnstone
    76  -- [Facebook Messenger server random memory exposure through corrupted GIF image ](https://www.vulnano.com/2019/03/facebook-messenger-server-random-memory.html) - by [@xdzmitry](https://twitter.com/xdzmitry)
    77  -- [A Tale of Exploitation in Spreadsheet File Conversions](https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/) - by [@bbuerhaus](https://twitter.com/bbuerhaus)[@daeken](https://twitter.com/daeken)[@erbbysam](https://twitter.com/erbbysam)[@smiegles](https://twitter.com/smiegles)
     78 +- [Webshell via File Upload on ecjobs.starbucks.com.cn](https://hackerone.com/reports/506646) - johnstone
     79 +- [Facebook Messenger server random memory exposure through corrupted GIF image ](https://www.vulnano.com/2019/03/facebook-messenger-server-random-memory.html) - [@xdzmitry](https://twitter.com/xdzmitry)
     80 +- [A Tale of Exploitation in Spreadsheet File Conversions](https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/) - [@bbuerhaus](https://twitter.com/bbuerhaus)//[@daeken](https://twitter.com/daeken)//[@erbbysam](https://twitter.com/erbbysam)//[@smiegles](https://twitter.com/smiegles)
    78 81   
    79 82  ## Automation
    80  -- [Fasten your Recon process using Shell Scripting](https://medium.com/bugbountywriteup/fasten-your-recon-process-using-shell-scripting-359800905d2a) - by Mohd Shibli
    81  -- [Beginner’s Guide to recon automation](https://medium.com/bugbountywriteup/beginners-guide-to-recon-automation-f95b317c6dbb) - by Ashish Jha
    82  -- [Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty)](https://www.youtube.com/watch?v=3K1-a7dnA60) - by STÖK & Fisher
     83 +- [Fasten your Recon process using Shell Scripting](https://medium.com/bugbountywriteup/fasten-your-recon-process-using-shell-scripting-359800905d2a) - Mohd Shibli
     84 +- [Beginner’s Guide to recon automation](https://medium.com/bugbountywriteup/beginners-guide-to-recon-automation-f95b317c6dbb) - Ashish Jha
     85 +- [Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty)](https://www.youtube.com/watch?v=3K1-a7dnA60) - STÖK & Fisher
    83 86   
    84 87  ## Buffer Overflow
    85  -- [Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty](https://samcurry.net/filling-in-the-blanks-exploiting-null-byte-buffer-overflow-for-a-40000-bounty/) - by [Sam Curry](https://twitter.com/samwcyo)
     88 +- [Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty](https://samcurry.net/filling-in-the-blanks-exploiting-null-byte-buffer-overflow-for-a-40000-bounty/) - [Sam Curry](https://twitter.com/samwcyo)
     89 +- [Writing a Simple Buffer Overflow Exploit](https://www.youtube.com/watch?v=oS2O75H57qU) - LiveOverflow
    86 90   
    87 91  ## IDOR
    88  -- [Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method](https://www.indoappsec.in/2019/12/airbnb-steal-earning-of-airbnb-hosts-by.html) - by [Vijay Kumar ](https://twitter.com/IndoAppSec)
    89  -- [GraphQL IDOR leads to information disclosure](https://medium.com/@R0X4R/graphql-idor-leads-to-information-disclosure-175eb560170d) - by [@R0X4R](https://twitter.com/R0X4R)
     92 +- [Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method](https://www.indoappsec.in/2019/12/airbnb-steal-earning-of-airbnb-hosts-by.html) - [Vijay Kumar ](https://twitter.com/IndoAppSec)
     93 +- [GraphQL IDOR leads to information disclosure](https://medium.com/@R0X4R/graphql-idor-leads-to-information-disclosure-175eb560170d) - [@R0X4R](https://twitter.com/R0X4R)
     94 +- [From Multiple IDORs leading to Code Execution on a different Host Container](https://www.rahulr.in/2019/10/idor-to-rce.html?m=1) - [@Rahul_R95](https://twitter.com/Rahul_R95)
     95 + 
     96 +## GraphQL
     97 +- [Private System Note Disclosure using GraphQL](https://hackerone.com/reports/633001) - Ron Chan
     98 +- [Graphql Abuse to Steal Anyone’s Address](https://blog.usejournal.com/graphql-bug-to-steal-anyones-address-fc34f0374417) - pratik yadav
    90 99   
    91 100  ## Misc
    92  -- [Writing a Simple Buffer Overflow Exploit](https://www.youtube.com/watch?v=oS2O75H57qU) - by LiveOverflow
     101 +- [Notes about Nahamsecs Recon Sessions](https://mavericknerd.github.io/knowledgebase/nahamsec/recon_session_1/) - [maverickNerd](https://github.com/maverickNerd)
    93 102  - [Hacking GitHub with Unicode's dotless 'i'](https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/)
    94  -- [Abusing autoresponders and email bounces](https://medium.com/intigriti/abusing-autoresponders-and-email-bounces-9b1995eb53c2) - by securinti
    95  -- [Abusing HTTP hop-by-hop request headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers) - by [@nj_dav](https://twitter.com/nj_dav)
     103 +- [Abusing autoresponders and email bounces](https://medium.com/intigriti/abusing-autoresponders-and-email-bounces-9b1995eb53c2) - securinti
     104 +- [Abusing HTTP hop-by-hop request headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers) - [@nj_dav](https://twitter.com/nj_dav)
     105 +- [Cracking reCAPTCHA, Turbo Intruder style](https://portswigger.net/research/cracking-recaptcha-turbo-intruder-style) - James Kettle
     106 +- [Abusing ImageMagick to obtain RCE](https://strynx.org/imagemagick-rce/) - [strynx](https://strynx.org/)
    96 107   
    97 108  ---
    98 109  back to [Intro Page](/README.md)
  • ■ ■ ■ ■ ■ ■
    assets/changelog.md
     1 +# Resources-for-Beginner-Bug-Bounty-Hunters
     2 + 
     3 +## Changelog
     4 + 
     5 +Updates to this repo will be pushed monthly. You can read about the latest changes below.
     6 + 
     7 +## Update 2020.01
     8 +### Added
     9 +- New changelog page
     10 +- New content in [Blogposts](/assets/blogposts.md)
     11 +- Designated section to get started with [Burp Suite](/assets/setup.md#setup)
     12 +- Link from the Burp Tool section to the setup guide
     13 +- Recon Pi to [Tools](/assets/tools.md#others)
     14 + 
     15 +### Changed
     16 +- Updated the Twitter Descriptions in [media.md](/assets/media.md)
     17 +- Cleaned up [Setup Page](/assets/setup.md)
     18 +- Cleaned up [Blogposts Page](/assets/blogposts.md)
     19 +---
     20 +back to [Intro Page](/README.md)
  • ■ ■ ■ ■ ■ ■
    assets/media.md
    skipped 16 lines
    17 17  - [TomNomNom](https://www.youtube.com/user/TomNomNomDotCom)- Educational Videos about Hacking, Scripting, Bug Bounty, Writing your own Tools
    18 18  - [The Cyber Mentor](https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw) - Educational Videos about InfoSec, Penetration Testing, Web Security, Scripting, etc.
    19 19  - [InsiderPhD](https://www.youtube.com/channel/UCPiN9NPjIer8Do9gUFxKv7A) - An excellent Introduction series for beginners to help them find their first bug.
     20 +- [PwnFunction](https://www.youtube.com/PwnFunction) explanatory videos about Web App vulnerabilities
    20 21  - [DEFCONConference](https://www.youtube.com/user/DEFCONConference/videos) - Tons of Talks from Defcon.
    21 22   
    22 23  ## Streamers
    23 24  - [Nahamsec](https://www.twitch.com/nahamsec) on Twitch
    24  -- [d0nutptr](http://www.twitch.tv/d0nutptr/) on Twitch
     25 +- [d0nutptr](https://www.twitch.tv/d0nutptr/) on Twitch
     26 +- [The Cyber Mentor](https://twitch.tv/theblindhackercybermentor) on Twitch
     27 +- [The Blind Hacker](https://twitch.tv/theblindhacker) on Twitch
     28 + 
    25 29   
    26 30  ## Podcasts
    27 31  - [Darknet Diaries](https://darknetdiaries.com/) by [Jack Rhysider](https://twitter.com/jackrhysider)
    28 32  - [The Bug Bounty Podcast](https://open.spotify.com/show/3yTTlfXH1avrI3FsXZyCpv) by Fisher
     33 +- [Bug Hunter Podcast](https://anchor.fm/bughunter)
    29 34   
    30 35  ## Books
    31 36  - [Real-World Bug Hunting](https://www.amazon.com/Real-World-Bug-Hunting-Field-Hacking/dp/1593278616) by [Peter Yaworski](https://twitter.com/yaworsk)
    skipped 1 lines
    33 38  - [The Tangled Web: A Guide to Securing Modern Web Applications](https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886) by
    34 39  Michal Zalewski
    35 40  - [Web Hacking 101: How to Make Money Hacking Ethically](https://leanpub.com/web-hacking-101) by [Peter Yaworski](https://twitter.com/yaworsk)
     41 +- [Black Hat Go](https://nostarch.com/blackhatgo) by Tom Steele, Chris Patten, and Dan Kottmann
     42 +- [Black Hat Python](https://nostarch.com/blackhatpython) by Justin Seitz
     43 + 
     44 +In general ["no starch press"](https://nostarch.com/catalog/security) offers great books in the hacking category. [Humble Bundle](https://www.humblebundle.com) sometimes offfers great book deals for an awesome price, so have a eye out for those.
    36 45   
    37 46  ## Twitter
    38 47  This List does not exclusively contains Bug Bounty themed Accounts but a broad variety of InfoSec and Hacking.<br>
    39  -Descriptions will be added later!.
    40 48   
    41  -| Name | Topics |
    42  -| ------------------------------------------------------- | ------ |
    43  -| [@Alyssa*Herrera*](https://twitter.com/Alyssa_Herrera_) | |
    44  -| [@Bugcrowd](https://twitter.com/Bugcrowd) | |
    45  -| [@DailySwig](https://twitter.com/DailySwig) | |
    46  -| [@DanielMiessler](https://twitter.com/DanielMiessler) | |
    47  -| [@Dinosn](https://twitter.com/Dinosn) | |
    48  -| [@EdOverflow](https://twitter.com/EdOverflow) | |
    49  -| [@GoogleVRP](https://twitter.com/GoogleVRP) | |
    50  -| [@GossiTheDog](https://twitter.com/GossiTheDog) | |
    51  -| [@Hacker0x01](https://twitter.com/Hacker0x01) | |
    52  -| [@HackerSploit](https://twitter.com/HackerSploit) | |
    53  -| [@InsiderPhD](https://twitter.com/InsiderPhD) | |
    54  -| [@JHaddix](https://twitter.com/Jhaddix) | |
    55  -| [@KitPloit](https://twitter.com/KitPloit) | |
    56  -| [@LiveOverflow](https://twitter.com/LiveOverflow) | |
    57  -| [@MalwareTechBlog](https://twitter.com/MalwareTechBlog) | |
    58  -| [@NahamSec](https://twitter.com/NahamSec) | |
    59  -| [@Peerlyst](https://twitter.com/Peerlyst) | |
    60  -| [@PortSwigger](https://twitter.com/PortSwigger) | |
    61  -| [@PwnFunction](https://twitter.com/PwnFunction) | |
    62  -| [@Regala\_](https://twitter.com/Regala_) | |
    63  -| [@Rosenawesome](https://twitter.com/Rosenawesome) | |
    64  -| [@TheBlindHacker](https://twitter.com/TheBlindHacker) | |
    65  -| [@TheHackerNews](https://twitter.com/TheHackersNews) | |
    66  -| [@TheParanoids](https://twitter.com/TheParanoids) | |
    67  -| [@TomNomNom](https://twitter.com/TomNomNom) | |
    68  -| [@\_johnhammond](https://twitter.com/_johnhammond) | |
    69  -| [@\_sn0ww](https://twitter.com/_sn0ww) | |
    70  -| [@ajxchapman](https://twitter.com/ajxchapman) | |
    71  -| [@albinowax](https://twitter.com/albinowax) | |
    72  -| [@autothreat](https://twitter.com/autothreat) | |
    73  -| [@brutelogic](https://twitter.com/brutelogic) | |
    74  -| [@ceos3c](https://twitter.com/ceos3c) | |
    75  -| [@d0nutptr](https://twitter.com/d0nutptr) | |
    76  -| [@daeken](https://twitter.com/daeken) | |
    77  -| [@evilsocket](https://twitter.com/evilsocket) | |
    78  -| [@firebounty](https://twitter.com/firebounty) | |
    79  -| [@fluxfingers](https://twitter.com/fluxfingers) | |
    80  -| [@fs0c131y](https://twitter.com/fs0c131y) | |
    81  -| [@hakluke](https://twitter.com/hakluke) | |
    82  -| [@intigriti](https://twitter.com/intigriti) | |
    83  -| [@jerh17](https://twitter.com/jerh17) | |
    84  -| [@lorenzofb](https://twitter.com/lorenzofb) | |
    85  -| [@maddiestone](https://twitter.com/maddiestone) | |
    86  -| [@malwareunicorn](https://twitter.com/malwareunicorn) | |
    87  -| [@mongobug](https://twitter.com/mongobug) | |
    88  -| [@nnwakelam](https://twitter.com/nnwakelam) | |
    89  -| [@openbugbounty](https://twitter.com/openbugbounty) | |
    90  -| [@orange_8361](https://twitter.com/orange_8361) | |
    91  -| [@owasp](https://twitter.com/owasp) | |
    92  -| [@samykamkar](https://twitter.com/samykamkar) | |
    93  -| [@securinti](https://twitter.com/securinti) | |
    94  -| [@spaceraccoonsec](https://twitter.com/spaceraccoonsec) | |
    95  -| [@stokfredrik](https://twitter.com/stokfredrik) | |
    96  -| [@synack](https://twitter.com/synack) | |
    97  -| [@thecybermentor](https://twitter.com/thecybermentor) | |
    98  -| [@thedawgyg](https://twitter.com/thedawgyg) | |
    99  -| [@thegrugq](https://twitter.com/thegrugq) | |
    100  -| [@yaworsk](https://twitter.com/yaworsk) | |
    101  -| [@yeswehack](https://twitter.com/yeswehack) | |
    102  -| [@zseano](https://twitter.com/zseano) | |
     49 +| Name | Topics |
     50 +| ------------------------------------------------------- | ---------------------------------------------------------------------------- |
     51 +| [@Alyssa*Herrera*](https://twitter.com/Alyssa_Herrera_) | BB |
     52 +| [@Bugcrowd](https://twitter.com/Bugcrowd) | BB, Platform |
     53 +| [@DailySwig](https://twitter.com/DailySwig) | Web Technologie, News |
     54 +| [@DanielMiessler](https://twitter.com/DanielMiessler) | Security, Researcher, [SecLists](https://github.com/danielmiessler/SecLists) |
     55 +| [@Dinosn](https://twitter.com/Dinosn) | Researcher, News, Tools |
     56 +| [@EdOverflow](https://twitter.com/EdOverflow) | Developer, Researcher, @LiveOverflow in disguise |
     57 +| [@GoogleVRP](https://twitter.com/GoogleVRP) | VRP, Program |
     58 +| [@GossiTheDog](https://twitter.com/GossiTheDog) | Researcher |
     59 +| [@Hacker0x01](https://twitter.com/Hacker0x01) | BB, Platform |
     60 +| [@HackerSploit](https://twitter.com/HackerSploit) | General Hacking, Youtuber |
     61 +| [@InsiderPhD](https://twitter.com/InsiderPhD) | BB, Teaching, YouTuber, Beginner friendy content |
     62 +| [@JHaddix](https://twitter.com/Jhaddix) | BB, Bugcrowd, Streaming |
     63 +| [@KitPloit](https://twitter.com/KitPloit) | News, Tools |
     64 +| [@LiveOverflow](https://twitter.com/LiveOverflow) | Hacking, CTF, Teaching, YouTuber, @EdOverflow in disguise |
     65 +| [@MalwareTechBlog](https://twitter.com/MalwareTechBlog) | RE, Security, Hacking, News |
     66 +| [@NahamSec](https://twitter.com/NahamSec) | BB, Teaching, Streaming |
     67 +| [@Peerlyst](https://twitter.com/Peerlyst) | Articles, Peer Powered Publications |
     68 +| [@PortSwigger](https://twitter.com/PortSwigger) | BB, News, BurpSuite |
     69 +| [@PwnFunction](https://twitter.com/PwnFunction) | YouTuber, Teaching, Web Technologie |
     70 +| [@Regala\_](https://twitter.com/Regala_)(Fisher) | BB, DISTURBANCE, Podcaster |
     71 +| [@Rosenawesome](https://twitter.com/Rosenawesome) | Hacking, Events |
     72 +| [@TheBlindHacker](https://twitter.com/TheBlindHacker) | Hacking, Streamer |
     73 +| [@TheHackerNews](https://twitter.com/TheHackersNews) | News |
     74 +| [@TheParanoids](https://twitter.com/TheParanoids) | BB, "Program" |
     75 +| [@TomNomNom](https://twitter.com/TomNomNom) | Coding, BB, Hacking, DISTURBANCE, Tools |
     76 +| [@\_johnhammond](https://twitter.com/_johnhammond) | Hacking, Web Technologies, Coding, CTF |
     77 +| [@\_sn0ww](https://twitter.com/_sn0ww) | Social Enineering, OSINT |
     78 +| [@ajxchapman](https://twitter.com/ajxchapman) | BB, Researcher |
     79 +| [@albinowax](https://twitter.com/albinowax) | News, BB, Web Technologies, Researcher, BurpSuite |
     80 +| [@autothreat](https://twitter.com/autothreat) | Hacking, Cars |
     81 +| [@brutelogic](https://twitter.com/brutelogic) | Researcher, Teaching, XSS |
     82 +| [@ceos3c](https://twitter.com/ceos3c) | YouTuber, General Hacking, Teaching |
     83 +| [@d0nutptr](https://twitter.com/d0nutptr) | BB, Researcher, (Rust.) |
     84 +| [@daeken](https://twitter.com/daeken) | BB, Researcher |
     85 +| [@evilsocket](https://twitter.com/evilsocket) | Hacking, Coding, Hardware, Tools |
     86 +| [@firebounty](https://twitter.com/firebounty) | BB, Platform |
     87 +| [@fluxfingers](https://twitter.com/fluxfingers) | CTF |
     88 +| [@fs0c131y](https://twitter.com/fs0c131y) | Mobile Applications, Hacking, Web Technologies, Researcher |
     89 +| [@hakluke](https://twitter.com/hakluke) | Researcher, Coding, Tools |
     90 +| [@intigriti](https://twitter.com/intigriti) | BB, Platform |
     91 +| [@jerh17](https://twitter.com/jerh17) | BB, Researcher, Platform |
     92 +| [@lorenzofb](https://twitter.com/lorenzofb) | Journalist |
     93 +| [@maddiestone](https://twitter.com/maddiestone) | Project Zero, Researcher |
     94 +| [@malwareunicorn](https://twitter.com/malwareunicorn) | Researcher, RE, Malware, Unicorn |
     95 +| [@mongobug](https://twitter.com/mongobug) | BB, Researcher |
     96 +| [@nahamsec](https://twitter.com/nahamsec) | BB, Researcher, YouTuber, Streamer, Teaching, Recon |
     97 +| [@nnwakelam](https://twitter.com/nnwakelam) | BB, Researcher |
     98 +| [@openbugbounty](https://twitter.com/openbugbounty) | Platform |
     99 +| [@orange_8361](https://twitter.com/orange_8361) | BB, Researcher |
     100 +| [@owasp](https://twitter.com/owasp) | OWASP |
     101 +| [@samykamkar](https://twitter.com/samykamkar) | Hacking, News, Tools, Hardware |
     102 +| [@securinti](https://twitter.com/securinti) | Researcher, BB |
     103 +| [@spaceraccoonsec](https://twitter.com/spaceraccoonsec) | Researcher, BB |
     104 +| [@stokfredrik](https://twitter.com/stokfredrik) | Researcher, BB, YouTuber, Teaching, Sunglasses |
     105 +| [@synack](https://twitter.com/synack) | Platform, Team, BB |
     106 +| [@thecybermentor](https://twitter.com/thecybermentor) | Streamer, Youtuber, General Hacking, Teaching |
     107 +| [@thedawgyg](https://twitter.com/thedawgyg) | BB |
     108 +| [@thegrugq](https://twitter.com/thegrugq) | Researcher |
     109 +| [@yaworsk](https://twitter.com/yaworsk) | BB, Researcher, Author |
     110 +| [@yeswehack](https://twitter.com/yeswehack) | BB, Platform |
     111 +| [@zseano](https://twitter.com/zseano) | BB, Teaching |
    103 112   
    104 113   
    105 114  ---
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    assets/setup.md
    skipped 2 lines
    3 3  ## Setup
    4 4  This section will help you set up your testing environement.
    5 5  - [Setting Up Your Ubuntu Box for Pentest and Bug Bounty Automation](https://www.youtube.com/watch?v=YhUiAH5SIqk) by nahamsec
    6  -- Setting up your own web server on a VPS:<br>
    7  -https://www.linux.com/learn/easy-lamp-server-installation<br>
    8  -- Setting up virtualbox + linux
    9  -https://linuxconfig.org/how-to-install-kali-linux-on-virtualbox
    10  -- Docker For Pentesting And Bug Bounty Hunting
    11  -https://www.youtube.com/watch?v=5G6tA8Q9AuQ
    12  -- Basics of UNIX
    13  -https://lifehacker.com/5633909/who-needs-a-mouse-learn-to-use-the-command-line-for-almost-anything
    14  -- Setting up Burp
    15  -https://www.hacker101.com/playlists/burp_suite
    16  -- Burp Suite Introduction
    17  -https://github.com/bugcrowd/bugcrowd_university/blob/master/An_introduction_to_Burp_Suite/Bugcrowd%20University%20-%20Burp%20Suite%20Introduction.pdf - by Jason Haddix
    18  -- Previously Disclosed Vulnerabilities
    19  -https://hackerone.com/hacktivity
     6 +- [Setting up your own web server on a VPS](https://www.linux.com/learn/easy-lamp-server-installation)
     7 +- [Setting up virtualbox + linux](https://linuxconfig.org/how-to-install-kali-linux-on-virtualbox)
     8 +- [Docker For Pentesting And Bug Bounty Hunting](https://www.youtube.com/watch?v=5G6tA8Q9AuQ)
     9 +- [Basics of UNIX](https://lifehacker.com/5633909/who-needs-a-mouse-learn-to-use-the-command-line-for-almost-anything)
     10 +- [Previously Disclosed Vulnerabilities / HackerOne Hacktivity](https://hackerone.com/hacktivity)
    20 11   
     12 +## Burp Suite
     13 +This section should help you get familiar with BurpSuite.
     14 +- [Setting up Burp (Video Series)](https://www.hacker101.com/playlists/burp_suite) by Hacker101
     15 +- [Burp Suite Introduction](https://github.com/bugcrowd/bugcrowd_university/blob/master/An_introduction_to_Burp_Suite/Bugcrowd%20University%20-%20Burp%20Suite%20Introduction.pdf) by Jason Haddix
     16 +- [Beginners Guide to Burpsuite Payloads (Part 1)](https://www.hackingarticles.in/beginners-guide-burpsuite-payloads-part-1/) by Raj Chandel
     17 +- [Burp Hacks for Bounty Hunters](https://www.youtube.com/watch?v=boHIjDHGmIo) by James Kettle
    21 18  ---
    22 19  back to [Intro Page](/README.md)
  • ■ ■ ■ ■ ■
    assets/tools.md
    skipped 14 lines
    15 15  ### Proxy & Network Sniffer
    16 16  | Name | Description | Written in | Created by |
    17 17  |------ |------------- |------------ |------------- |
    18  -|[Burp Suite](https://portswigger.net/burp)|A Proxy to intercept and manipulate Web Traffic (free & paid version).|Java|Port Swigger|
     18 +|[Burp Suite](https://portswigger.net/burp)|A Proxy to intercept and manipulate Web Traffic (free & paid version). [Here](/assets/setup.md#setup) you can find Tips & Tricks to get started with Burp.|Java|Port Swigger|
    19 19  |[OWASP Zap Proxy](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)|A Proxy to intercept and manipulate Web Traffic (free).|Java|OWASP|
    20 20  |[Wireshark](https://www.wireshark.org)|Wireshark is a network protocol analyzer that lets you capture and read network packets.|C, C++|The Wireshark team|
    21 21   
    skipped 10 lines
    32 32  |[meg](https://github.com/tomnomnom/meg)|meg is a tool for fetching lots of URLs but still being 'nice' to servers. It can be used to fetch many paths for many hosts; fetching one path for all hosts before moving on to the next path and repeating.|Go|[Tom Hudson](https://github.com/tomnomnom)|
    33 33  |[httprobe](https://github.com/tomnomnom/httprobe)|Take a list of domains and probe for working http and https servers.|Go|[Tom Hudson](https://github.com/tomnomnom)|
    34 34  |[Osmedeus](https://github.com/j3ssie/Osmedeus)|Fully automated offensive security framework for reconnaissance and vulnerability scanning|Python|[j3ssie](https://github.com/j3ssie)|
     35 +|[hakrawler](https://github.com/hakluke/hakrawler)|hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application. It can be used to discover Forms, Endpoints, Subdomains, Related documents and JS Files|Go|[@hakluke](https://twitter.com/hakluke)|
    35 36   
    36 37  #### OSINT Webpages
    37 38  | Name | Description | Created by |
    skipped 39 lines
    77 78  | Name | Description | Written in | Created by |
    78 79  |------ |------------- | ------------ |------------- |
    79 80  |[SecLists](https://github.com/danielmiessler/SecLists)|A huge collection of word lists for hacking.||Daniel Miessler|
     81 +|[Recon Pi](https://github.com/x1mdev/ReconPi)|A lightweight recon tool that performs extensive reconnaissance with the latest tools using a Raspberry Pi.||[@x1m_martijn](https://twitter.com/x1m_martijn)|
    80 82   
    81 83  ---
    82 84  back to [Intro Page](/README.md)
  • ■ ■ ■ ■ ■
    assets/vulns.md
    skipped 14 lines
    15 15  - [A comprehensive tutorial on cross-site scripting](https://excess-xss.com)
    16 16  - [Google Application Security (XSS Guide)](https://www.google.com/intl/am_AD/about/appsecurity/learning/xss/)
    17 17  - [What is PHP and why is XSS so common there?](https://www.youtube.com/watch?v=Q2mGcbkX550) - by LiveOverflow
     18 +- [Finding Your First Bug: Cross Site Scripting (XSS)](https://www.youtube.com/watch?v=IWbmP0Z-yQg) - by InsiderPhD
    18 19   
    19 20  ## Cross-Site Request Forgery (CSRF)
    20 21  - [Cross-Site Request Forgery Attack](https://www.youtube.com/watch?v=eWEgUcHPle0) - by PwnFunction
    skipped 17 lines
Please wait...
Page is in error, reload to recover