1. [Stanford CS 253 Web Security](#Stanford-CS-253-Web-Security)
5
+
2. [HTTP basics](#HTTP-basics)
6
+
3. [Networking basics](#Networking-basics)
7
+
4. [Programming Basics](#Programming-Basics)
8
+
5. [Automation](#Automation)
9
+
10
+
11
+
## Stanford CS 253 Web Security
12
+
13
+
- [Stanford CS 253 Web Security](https://web.stanford.edu/class/cs253/) - by [@feross](https://twitter.com/feross)
14
+
- "This course is a comprehensive overview of web security. The goal is to build an understanding of the most common web attacks and their countermeasures. Given the pervasive insecurity of the modern web landscape, there is a pressing need for programmers and system designers to improve their understanding of web security issues."
8
15
9
16
## HTTP basics
10
17
In order to be able to learn what and how an application works, you need to be able to understand how you are communicating with it. This section is dedicated to all the resources to understand the HTTP basics.
- [Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program](https://samcurry.net/cracking-my-windshield-and-earning-10000-on-the-tesla-bug-bounty-program/) - [Sam Curry](https://twitter.com/samwcyo)
33
34
- [Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty](https://medium.com/bugbountywriteup/effortlessly-finding-cross-site-script-inclusion-xssi-jsonp-for-bug-bounty-38ae0b9e5c8a) - [@th3_hidd3n_mist](https://twitter.com/th3_hidd3n_mist)
34
35
- [Microsoft Edge (Chromium) - EoP via XSS to Potential RCE](https://leucosite.com/Edge-Chromium-EoP-RCE/) - [@Qab](https://twitter.com/qab)
36
+
- [Reflected XSS in https://blocked.myndr.net](https://hackerone.com/reports/824433) - Thilakesh
- [Finding SQL injections fast with white-box analysis — a recent bug example](https://medium.com/@frycos/finding-sql-injections-fast-with-white-box-analysis-a-recent-bug-example-ca449bce6c76?) - [@frycos](https://twitter.com/frycos)
69
75
- [How we hacked one of the worlds largest Cryptocurrency Website](https://strynx.org/insecure-crypto-code-execution/) - [strynx](https://strynx.org/)
76
+
- [Blind SQL Injection on windows10.hi-tech.mail.ru](https://hackerone.com/reports/786044) - Просто душка (api_0)
70
77
71
78
## Mobile
72
79
### iOS
skipped 4 lines
77
84
## HTTP Desync
78
85
- [HTTP Desync Attacks: Request Smuggling Reborn](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn) in combination with this [report](https://hackerone.com/reports/510152) - [James Kettle](https://twitter.com/albinowax)
79
86
- [HTTP Request Smuggling on vpn.lob.com](https://hackerone.com/reports/694604) - 0X0 (painreigns)
87
+
- [Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies](https://hackerone.com/reports/737140) - Evan Custodio
80
88
81
89
## File Upload
82
90
- [Webshell via File Upload on ecjobs.starbucks.com.cn](https://hackerone.com/reports/506646) - johnstone
83
91
- [Facebook Messenger server random memory exposure through corrupted GIF image ](https://www.vulnano.com/2019/03/facebook-messenger-server-random-memory.html) - [@xdzmitry](https://twitter.com/xdzmitry)
84
92
- [A Tale of Exploitation in Spreadsheet File Conversions](https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/) - [@bbuerhaus](https://twitter.com/bbuerhaus)//[@daeken](https://twitter.com/daeken)//[@erbbysam](https://twitter.com/erbbysam)//[@smiegles](https://twitter.com/smiegles)
93
+
- [External XML Entity via File Upload (SVG)](https://0xatul.github.io/posts/2020/02/external-xml-entity-via-file-upload-svg/) - by 0xatul
94
+
85
95
86
96
## Automation
87
97
- [Fasten your Recon process using Shell Scripting](https://medium.com/bugbountywriteup/fasten-your-recon-process-using-shell-scripting-359800905d2a) - Mohd Shibli
88
98
- [Beginner’s Guide to recon automation](https://medium.com/bugbountywriteup/beginners-guide-to-recon-automation-f95b317c6dbb) - Ashish Jha
89
99
- [Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty)](https://www.youtube.com/watch?v=3K1-a7dnA60) - STÖK & Fisher
100
+
- [gitGraber: A tool to monitor GitHub in real-time to find sensitive data](https://blog.yeswehack.com/2019/10/08/gitgraber-a-tool-to-monitor-github-in-real-time-to-find-sensitive-data/) - by [@adrien_jeanneau](https://twitter.com/adrien_jeanneau) & [@R_Marot](https://twitter.com/R_marot)
90
101
91
102
## Buffer Overflow
92
103
- [Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty](https://samcurry.net/filling-in-the-blanks-exploiting-null-byte-buffer-overflow-for-a-40000-bounty/) - [Sam Curry](https://twitter.com/samwcyo)
skipped 8 lines
101
112
## GraphQL
102
113
- [Private System Note Disclosure using GraphQL](https://hackerone.com/reports/633001) - Ron Chan
103
114
- [Graphql Abuse to Steal Anyone’s Address](https://blog.usejournal.com/graphql-bug-to-steal-anyones-address-fc34f0374417) - pratik yadav
115
+
- [Email address of any user can be queried on Report Invitation GraphQL type when username is known](https://hackerone.com/reports/792927) - msdian7
104
116
105
117
## RCE
106
118
- [My First RCE (Stressed Employee gets me 2x bounty)](https://medium.com/@abhishake100/my-first-rce-stressed-employee-gets-me-2x-bounty-c4879c277e37) - [Abhishek Yadav](https://medium.com/@abhishake100)
skipped 2 lines
109
121
- [Subdomain Recon Using Certificate Search Technique](https://www.r00tpgp.com/2020/01/subdomain-recon-using-certificate.html?m=0)
110
122
- [Notes about Nahamsecs Recon Sessions](https://mavericknerd.github.io/knowledgebase/nahamsec/recon_session_1/) - [maverickNerd](https://github.com/maverickNerd)
111
123
- [10 Recon Tools For Bug Bounty](https://medium.com/@hackbotone/10-recon-tools-for-bug-bounty-bafa8a5961bd) - Anshuman Pattnaik
124
+
- [Recon: Create a methodology and start your subdomain enumeration](https://failednuke.info/2020/recon-create-a-methodology-and-start-your-subdomain-enumeration/) - by FailedNuke
112
125
113
126
## Smart Contracts
114
127
- [Steal collateral during `end` process, by earning DSR interest after `flow](https://hackerone.com/reports/672664)(Listed as Business Logic Error)
115
128
- [Steal all MKR from `flap` during liquidation by exploiting lack of validation in `flap.kick`](https://hackerone.com/reports/684152)(Listed as Improper Input Validation)
116
129
130
+
## API
131
+
- [31 Days of API Security Tips](https://github.com/smodnix/31-days-of-API-Security-Tips) - [smodnix](https://github.com/smodnix)
132
+
117
133
## Misc
118
134
- [Hacking GitHub with Unicode's dotless 'i'](https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/)
119
135
- [Abusing autoresponders and email bounces](https://medium.com/intigriti/abusing-autoresponders-and-email-bounces-9b1995eb53c2) - securinti
skipped 1 lines
121
137
- [Cracking reCAPTCHA, Turbo Intruder style](https://portswigger.net/research/cracking-recaptcha-turbo-intruder-style) - James Kettle
122
138
- [Abusing ImageMagick to obtain RCE](https://strynx.org/imagemagick-rce/) - [strynx](https://strynx.org/)
123
139
- [How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN](https://blog.detectify.com/2019/09/19/alyssa-herrera-pulse-corporate-networks-ssl-vpn/) - [Alyssa Herrera](https://twitter.com/Alyssa_Herrera_)
140
+
- [2 Cases of Path Traversal](https://jlajara.gitlab.io/posts/2020/03/29/Path_Traversal.html) - by [@leonishan_](https://twitter.com/leonishan_)
141
+
- [Top 10 web hacking techniques of 2019](https://portswigger.net/research/top-10-web-hacking-techniques-of-2019) - by [James Kettle](https://twitter.com/albinowax)
142
+
- [Understanding Search Syntax on Github](https://help.github.com/en/github/searching-for-information-on-github/understanding-the-search-syntax#exclude-certain-results) - by Github
Updates to this repo will be pushed monthly. You can read about the latest changes below.
6
6
7
7
---
8
+
## Update 2020.04
9
+
### Added
10
+
- New in [Basics](/assets/basics.md)
11
+
- Added **Stanford CS 253 Web Security**
12
+
- New Category: [Hardware & IoT](/assets/hardware.md)
13
+
- Added **Exploitee.rs Wiki**
14
+
- New Category: [Coding & Scripting](/assets/coding.md)
15
+
- Added **Bash Scripting Full Course 3 Hours**
16
+
- Added **ShellCheck**
17
+
- Added **Explainshell**
18
+
- Added **Discovering the Terminal**
19
+
- Added **Text Processing in the Shell**
20
+
- New [Podcasts](/assets/media.md#Podcasts):
21
+
- **Darknet Diaries Episode 60** with dawgyg
22
+
- **The Bug Bounty Podscast Episode 3** with nahamsec
23
+
- New in [Tools](/assets/tools.md):
24
+
- **crithit**
25
+
- **objection - A new Mobile tool**
26
+
- **CyberChef**
27
+
- **RMS - Runtime Mobile Security**
28
+
- New Category: [Notes & Organization](/assets/tools.md#Notes-&-Organization)
29
+
- **Reconness** to [Notes & Organization](/assets/tools.md#Notes-&-Organization)
30
+
- **Updog** to [Notes & Organization](/assets/tools.md#Notes-&-Organization)
31
+
- New Category: [Burp Extensions](/assets/tools.md#Burp-Extensions)
32
+
- **Logger++** to [Burp Extensions](/assets/tools.md#Burp-Extensions)
33
+
- **AuthMatrix** to [Burp Extensions](/assets/tools.md#Burp-Extensions)
34
+
- **Autorize** to [Burp Extensions](/assets/tools.md#Burp-Extensions)
35
+
- **Auto Repeater** to [Burp Extensions](/assets/tools.md#Burp-Extensions)
36
+
- **Progress Tracker** to [Burp Extensions](/assets/tools.md#Burp-Extensions)
37
+
- **Flow** to [Burp Extensions](/assets/tools.md#Burp-Extensions)
38
+
- New in [Labs](/assets/labs.md):
39
+
- **TryHackMe & Videos**
40
+
- New in Media:
41
+
- **@codingo_** now in Twitter-List
42
+
- New [Streamers](/assets/media.md#Streamers):
43
+
- [sup3rhero1](https://www.twitch.tv/sup3rhero1)
44
+
- [STÖK](https://www.twitch.tv/stokfredrik)
45
+
- New in [BlogPosts](/assets/blogposts.md):
46
+
- New Category: [API](/assets/blogposts.md#API)
47
+
- Added **31 Days of API Security Tips**- Misc
48
+
- Added **Blind SQL Injection on windows10.hi-tech.mail.ru** - SQLInjection
49
+
- Added **DOM XSS on app.starbucks.com via ReturnUrl** - DOMXSS
50
+
- Added **Email address of any user can be queried on Report Invitation GraphQL type when username is known** - GraphQL
51
+
- Added **External XML Entity via File Upload (SVG)** - File Upload
52
+
- Added **Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies** - HTTP Desync
53
+
- Added **gitGraber: A tool to monitor GitHub in real-time to find sensitive data** - by [@adrien_jeanneau](https://twitter.com/adrien_jeanneau) & [@R_Marot](https://twitter.com/R_marot)
54
+
- Added **2 Cases of Path Traversal** by [@leonishan_](https://twitter.com/leonishan_)
Many Beginners often ask if Coding is a necessaty for Bug Bounty.<br>
7
+
Short Answer: No.<br>
8
+
But as often discussed on @nahamsec Twitch Channel, it is a good Tool to have in General. Coding can help you a lot with understanding stuff that you will encounter on your Hacking Sessions, but it is also generally a good skill to have in the current times. You can automate your own Tools with Python for example, or write completely new ones if you have a specific task for it in mind. We will add a lot more in here over the next updates and also reorganize the Resources by Languages and so on.
9
+
10
+
### Resources
11
+
- [Bash Scripting Full Course 3 Hours](https://www.youtube.com/watch?v=e7BufAVwDiM)
12
+
- [Explainshell](https://explainshell.com/)
13
+
- [Discovering the Terminal](https://blog.balthazar-rouberol.com/discovering-the-terminal)
14
+
- [Text Processing in the Shell](https://blog.balthazar-rouberol.com/text-processing-in-the-shell)
- [Exploitee.rs Wiki](https://www.exploitee.rs/index.php/Main_Page) - IoT Wiki Page with a bunch of Info when getting into Hardware (provided by @securibee 🐝)
- [Finding your First Bug and Getting a Bounty - Personal Story by @InsiderPhD](https://www.youtube.com/watch?v=iEDoIEBD7gM) - YouTube Discussion
12
12
- [Introduction to Docker for CTFs](https://www.youtube.com/watch?v=cPGZMt4cJ0I) (Works for Bug Bounty too) - by LiveOverflow
13
-
13
+
- [Docker Tutorial for Beginners - A Full DevOps Course on How to Run Applications in Containers](https://www.youtube.com/watch?v=fqMOX6JJhGo) - freecodecamp
14
14
## Burp Suite
15
15
This section should help you get familiar with BurpSuite.
16
16
- [Setting up Burp (Video Series)](https://www.hacker101.com/playlists/burp_suite) by Hacker101
|[OWASP Zap Proxy](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)|A Proxy to intercept and manipulate Web Traffic (free).|Java|OWASP|
20
22
|[Wireshark](https://www.wireshark.org)|Wireshark is a network protocol analyzer that lets you capture and read network packets.|C, C++|The Wireshark team|
21
23
24
+
### Burp Extension
25
+
| Name | Description | Written in |
26
+
|------ |------------- |------------ |
27
+
|[Logger++](https://portswigger.net/bappstore/470b7057b86f41c396a97903377f3d81)|"This extension can be used to log the requests and responses made by all Burp tools, and display them in a sortable table. It can also save the logged data in CSV format."|Java|
28
+
|[Flow](https://portswigger.net/bappstore/ee1c45f4cc084304b2af4b7e92c0a49d)|"This extension provides a Proxy history-like view along with search filter capabilities for all Burp tools."|Java|
29
+
|[AuthMatrix](https://portswigger.net/bappstore/30d8ee9f40c041b0bfec67441aad158e)|"AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are displayed through the UI in a similar format to that of an access control matrix commonly built in various threat modeling methodologies."|Python (Needs Jython version 2.7.0 or later)|
30
+
|[Autorize](https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f)|"Autorize is an extension aimed at helping the penetration tester to detect authorization vulnerabilities..."|Python (Needs Jython)|
31
+
|[Auto Repeater](https://portswigger.net/bappstore/f89f2837c22c4ab4b772f31522647ed8)|"This extension automatically repeats requests, with replacement rules and response diffing. It provides a general-purpose solution for streamlining authorization testing within web applications."|Java|
32
+
|[Progress Tracker](https://portswigger.net/bappstore/17544cadcec64dcf8ed68df8518592e4)|"Burp Suite extension to track vulnerability assessment progress"|Python|
|[Osmedeus](https://github.com/j3ssie/Osmedeus)|Fully automated offensive security framework for reconnaissance and vulnerability scanning|Python|[j3ssie](https://github.com/j3ssie)|
35
47
|[hakrawler](https://github.com/hakluke/hakrawler)|hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application. It can be used to discover Forms, Endpoints, Subdomains, Related documents and JS Files|Go|[@hakluke](https://twitter.com/hakluke)|
36
48
|[Reconness](https://github.com/reconness)|A Web App Tool to Run and Keep all your #recon in the same place.|C#|[@reconness](https://twitter.com/reconness)|
37
-
|[Kockpy](https://github.com/guelfoweb/knock)|A python tool designed to enumerate subdomains on a target domain through a wordlist|Python|[@guelforweb](http://twitter.com/guelfoweb)|
49
+
|[Knockpy](https://github.com/guelfoweb/knock)|A python tool designed to enumerate subdomains on a target domain through a wordlist|Python|[@guelforweb](http://twitter.com/guelfoweb)|
50
+
|[crithit](https://github.com/codingo/crithit)|Takes a single wordlist item and tests it one by one over a large collection of hosts before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.|C++|[codingo](https://github.com/codingo)|
38
51
39
52
40
53
#### OSINT Webpages
skipped 35 lines
76
89
|[dex2jar](https://github.com/pxb1988/dex2jar)|Useful to convert dex files into jar to decompile the application.|Java, Smali|Bob Pan|
77
90
|[andriller](https://github.com/den4uk/andriller)|Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. [andriller.com](https://www.andriller.com/)|Python|[Denis Sazonov](https://github.com/den4uk)|
78
91
|[Mobile Security Framework (MobSF)](https://github.com/MobSF/Mobile-Security-Framework-MobSF/)|Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.|Python|MobSF Team|
92
+
|[objection](https://github.com/sensepost/objection)|"objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak."|Python & TypeScript|[sensepost](https://github.com/sensepost)|
93
+
|[RMS - Runtime Mobile Security](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)|Runtime Mobile Security (RMS) is a powerful web interface that helps you to manipulate Android Java Classes and Methods at Runtime|Python|[@mobilesecurity_](https://twitter.com/mobilesecurity_)|
|[Reconness](https://github.com/reconness/reconness)|"ReconNess helps you to run and keep all your #recon in the same place allowing you to focus only on the potentially vulnerable targets without distraction and without required a lot of bash skill or programing skill in general."|C#|[Reconness](https://github.com/reconness)|
99
+
|[Updog](https://github.com/sc0tfree/updog)|"Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use HTTP basic auth."|Python|[sc0tfree](https://github.com/sc0tfree)|
|[SecLists](https://github.com/danielmiessler/SecLists)|A huge collection of word lists for hacking.||Daniel Miessler|
84
106
|[Recon Pi](https://github.com/x1mdev/ReconPi)|A lightweight recon tool that performs extensive reconnaissance with the latest tools using a Raspberry Pi.||[@x1m_martijn](https://twitter.com/x1m_martijn)|
107
+
|[CyberChef](https://gchq.github.io/CyberChef/)|Awesome Tool for de-/encoding stuff. Try it out!|JavaScript|[gchq](https://github.com/gchq)|