crash.software
Projects
Pull Requests
Issues
Builds
Resources-for-Beginner-Bug-Bounty-Hunters
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY Resources-for-Beginner-Bug-Bounty-Hunters Commits e8ba9c56
🤬
  • ■ ■ ■ ■ ■ ■
    assets/blogposts.md
    skipped 18 lines
    19 19  - [Buffer Overflow](#Buffer-Overflow)
    20 20  - [IDOR](#IDOR)
    21 21  - [GraphQL](#GraphQL)
     22 +- [RCE](#RCE)
    22 23  - [Misc](#Misc)
    23 24  ---
    24 25  ## XSS
    skipped 68 lines
    93 94  - [Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method](https://www.indoappsec.in/2019/12/airbnb-steal-earning-of-airbnb-hosts-by.html) - [Vijay Kumar ](https://twitter.com/IndoAppSec)
    94 95  - [GraphQL IDOR leads to information disclosure](https://medium.com/@R0X4R/graphql-idor-leads-to-information-disclosure-175eb560170d) - [@R0X4R](https://twitter.com/R0X4R)
    95 96  - [From Multiple IDORs leading to Code Execution on a different Host Container](https://www.rahulr.in/2019/10/idor-to-rce.html?m=1) - [@Rahul_R95](https://twitter.com/Rahul_R95)
     97 +- [Automating BURP to find IDORs](https://medium.com/cyberverse/automating-burp-to-find-idors-2b3dbe9fa0b8) - [Aditya Soni](https://medium.com/@hetroublemakr)
    96 98   
    97 99  ## GraphQL
    98 100  - [Private System Note Disclosure using GraphQL](https://hackerone.com/reports/633001) - Ron Chan
    99 101  - [Graphql Abuse to Steal Anyone’s Address](https://blog.usejournal.com/graphql-bug-to-steal-anyones-address-fc34f0374417) - pratik yadav
    100 102   
     103 +## RCE
     104 +- [My First RCE (Stressed Employee gets me 2x bounty)](https://medium.com/@abhishake100/my-first-rce-stressed-employee-gets-me-2x-bounty-c4879c277e37) - [Abhishek Yadav](https://medium.com/@abhishake100)
     105 + 
    101 106  ## Misc
    102 107  - [Notes about Nahamsecs Recon Sessions](https://mavericknerd.github.io/knowledgebase/nahamsec/recon_session_1/) - [maverickNerd](https://github.com/maverickNerd)
    103 108  - [Hacking GitHub with Unicode's dotless 'i'](https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/)
    skipped 1 lines
    105 110  - [Abusing HTTP hop-by-hop request headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers) - [@nj_dav](https://twitter.com/nj_dav)
    106 111  - [Cracking reCAPTCHA, Turbo Intruder style](https://portswigger.net/research/cracking-recaptcha-turbo-intruder-style) - James Kettle
    107 112  - [Abusing ImageMagick to obtain RCE](https://strynx.org/imagemagick-rce/) - [strynx](https://strynx.org/)
     113 +- [How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN](https://blog.detectify.com/2019/09/19/alyssa-herrera-pulse-corporate-networks-ssl-vpn/) - [Alyssa Herrera](https://twitter.com/Alyssa_Herrera_)
    108 114   
    109 115  ---
    110 116  back to [Intro Page](/README.md)
  • ■ ■ ■ ■ ■ ■
    assets/changelog.md
    skipped 3 lines
    4 4   
    5 5  Updates to this repo will be pushed monthly. You can read about the latest changes below.
    6 6   
     7 +## Update 2020.02
     8 +### Added
     9 +- New XSS Lab: **XSS Labs from PwnFunction**
     10 +- New Recon & OSINT Tool: **Reconness**
     11 +- New [IDOR Blogspost](/assets/blogposts.md#IDOR): **Automating BURP to find IDORs**
     12 +- New [Misc Blogpost](/assets/blogposts.md#Misc): **How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN**
     13 +- New Blogspost Category: [RCE](/assets/blogposts.md#RCE)
     14 + - New RCE Blogpost :**My First RCE (Stressed Employee gets me 2x bounty)**
     15 +- New Vulnerabilities Post: **The 7 main XSS cases everyone should know**
     16 + 
    7 17  ## Update 2020.01
    8 18  ### Added
    9 19  - New changelog page
    skipped 11 lines
  • ■ ■ ■ ■ ■
    assets/labs.md
    skipped 10 lines
    11 11  - [DWVA](http://www.dvwa.co.uk)
    12 12  - [Google Gruyere](https://google-gruyere.appspot.com/)
    13 13  - [Web Security Academy by PortSwigger](https://portswigger.net/web-security)
     14 +- [XSS Labs from PwnFunction](https://xss.pwnfunction.com/) Great Labs in a beautiful layout
    14 15   
    15 16  ---
    16 17  back to [Intro Page](/README.md)
  • ■ ■ ■ ■ ■
    assets/tools.md
    skipped 32 lines
    33 33  |[httprobe](https://github.com/tomnomnom/httprobe)|Take a list of domains and probe for working http and https servers.|Go|[Tom Hudson](https://github.com/tomnomnom)|
    34 34  |[Osmedeus](https://github.com/j3ssie/Osmedeus)|Fully automated offensive security framework for reconnaissance and vulnerability scanning|Python|[j3ssie](https://github.com/j3ssie)|
    35 35  |[hakrawler](https://github.com/hakluke/hakrawler)|hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application. It can be used to discover Forms, Endpoints, Subdomains, Related documents and JS Files|Go|[@hakluke](https://twitter.com/hakluke)|
     36 +|[Reconness](https://github.com/reconness)|A Web App Tool to Run and Keep all your #recon in the same place.|C#|[@reconness](https://twitter.com/reconness)|
    36 37   
    37 38  #### OSINT Webpages
    38 39  | Name | Description | Created by |
    skipped 46 lines
  • ■ ■ ■ ■ ■
    assets/vulns.md
    skipped 15 lines
    16 16  - [Google Application Security (XSS Guide)](https://www.google.com/intl/am_AD/about/appsecurity/learning/xss/)
    17 17  - [What is PHP and why is XSS so common there?](https://www.youtube.com/watch?v=Q2mGcbkX550) - by LiveOverflow
    18 18  - [Finding Your First Bug: Cross Site Scripting (XSS)](https://www.youtube.com/watch?v=IWbmP0Z-yQg) - by InsiderPhD
     19 +- [The 7 main XSS cases everyone should know](https://brutelogic.com.br/blog/the-7-main-xss-cases-everyone-should-know/) - [brutelogic](https://brutelogic.com.br/blog/about/)
    19 20   
    20 21  ## Cross-Site Request Forgery (CSRF)
    21 22  - [Cross-Site Request Forgery Attack](https://www.youtube.com/watch?v=eWEgUcHPle0) - by PwnFunction
    skipped 17 lines
Please wait...
Page is in error, reload to recover