MISC
Information
Vulnerabilities knowledge database
https://portswigger.net/kb/issues
JSON Hijacking
Keywords: JSON, hijacking
https://haacked.com/archive/2009/06/25/j...king.aspx/
Compilation of Facebook bug bounty writeups
Keywords: Facebook, compilation, writeup, bug bounty
https://www.facebook.com/notes/phwd/face...202701640/
Post / Examples
How I Hacked Facebook, and Found Someone's Backdoor Script
Keywords: SQLi, Facebook, RCE
http://devco.re/blog/2016/04/21/how-I-ha...t-eng-ver/
How to Detect HTTP Parameter Pollution Attacks
https://www.acunetix.com/blog/whitepaper...pollution/
Active Directory
Information
A Red Teamer’s Guide to GPOs and OUs
Keywords: AD, red team, group policy
https://wald0.com/?p=179
Abusing GPO Permissions
Keywords: AD, red team, GPO, group policy
https://blog.harmj0y.net/redteaming/abus...rmissions/
https://www.harmj0y.net/blog/redteaming/...rmissions/]
Posts / Examples
Kerberoasting Without Mimikatz
Keywords: Kerberos, AD
https://blog.harmj0y.net/blog/powershell...t-mimikatz
Android
Posts / Examples
Breaking The Facebook For Android Application
Keywords: Android, deeplink
https://ash-king.co.uk/facebook-bug-bounty-09-18.html
Hacking android apps with Frida I
Keywords: Frida, Android, DBI
https://www.codemetrix.net/hacking-andro...h-frida-1/
Hacking a game to learn FRIDA basics (Pwn Adventure 3)
Keywords: Frida, Android, game hacking
https://x-c3ll.github.io/posts/Frida-Pwn-Adventure-3/
Authentication / Authorization
Posts / Examples
Gaining access to private topics using quoting feature
Keywords: Discourse, authorization bypass, forum
https://hackerone.com/reports/312647
Getting any Facebook user's friend list and partial payment card details
Keywords: Facebook, authorization, GraphQL
https://www.josipfranjkovic.com/blog/fac...tcard-leak
AWS
Information
AWS Post Exploitation – Part 1
Keywords: aws, aws-cli
https://cloudsecops.com/aws-post-exploitation-part-1/
EC2 - Instance Metadata and User Data
Keywords: EC2
http://docs.aws.amazon.com/AWSEC2/latest...adata.html
How to perform S3 domain takeover
Keywords: S3, domain takeover
S3 bucket policy:
Posts / Examples
Tools
AWS pwn
Keywords: AWS
https://github.com/dagrz/aws_pwn
Scout2 - Security auditing tool for AWS environments
Keywords: AWS, Scout2, NCC
https://github.com/nccgroup/Scout2
Zeus - AWS Auditing & Hardening Tool
Keywords: AWS, hardening
https://github.com/DenizParlak/Zeus
https://github.com/RhinoSecurityLabs/pacu
https://github.com/andresriancho/nimbostratus
https://github.com/Ucnt/aws-s3-bruteforce
https://github.com/JR0ch17/S3Cruze
CORS
Information
HTTP access control (CORS)
Keywords: CORS
https://developer.mozilla.org/en-US/docs...ntrol_CORS
Posts / Examples
Exploiting CORS Misconfigurations for Bitcoins and Bounties
Keywords: CORS
http://blog.portswigger.net/2016/10/expl...s-for.html
Pre-domain wildcard CORS Exploitation
Keywords: CORS
https://medium.com/@arbazhussain/pre-dom...6ac1d4bd30
Crypto
Information
https://sites.google.com/site/cryptocrackprogram
https://r12a.github.io/uniview
https://github.com/nccgroup/featherduster
Posts / Examples
CBC "cut and paste" attack may cause Open Redirect (even XSS)
Keywords: CBC, crypto, redirect, token
https://hackerone.com/reports/126203
CSRF / SOP / CSP
Information
Authoritative guide to CORS (Cross-Origin Resource Sharing) for REST APIs
Keywords: CSRF
https://www.moesif.com/blog/technical/co...REST-APIs/
Posts / Examples
Exploiting CSRF on JSON endpoints with Flash and redirects
Keywords: CSRF, JSON
https://blog.appsecco.com/exploiting-csr...1d4ad6b31b
CSRF in 'set.php' via age causes stored XSS
Keywords: Rockstar, CSRF, XSS
https://hackerone.com/reports/152013
Plain text considered harmful: A cross-domain exploit
Keywords: SOP, JSONP, CSRF, Javascript
http://balpha.de/2013/02/plain-text-cons...n-exploit/
Bypass Same Origin Policy - BY-SOP (Challenge + explanations)
Keywords: SOP
https://github.com/mpgn/ByP-SOP/
Tools
Cloud (generic)
Posts / Examples
Hacking the Cloud
Keywords: Azure, AWS, Active Directory (AD)
https://adsecurity.org/wp-content/upload...-Final.pdf
Bypassing and exploiting Bucket Upload Policies and Signed URLs
Keywords: buckets, AWS, Google Cloud (GCP)
https://labs.detectify.com/2018/08/02/by...gned-urls/
Csv injection
Information
Posts / Examples
Comma separated vulnerabilities
Keywords: Openoffice, Libreoffice, Excel, export to csv
https://www.contextis.com/resources/blog...abilities/
Everything about the CSV Excel Macro Injection
Keywords: Excel, macro injection
http://blog.securelayer7.net/how-to-perf...injection/
Exploiting ‘Export as CSV’ functionality:The road to CSV Injection
Keywords: export as csv
http://www.tothenew.com/blog/csv-injection/
Cloud Security Risks (P2): CSV Injection in AWS CloudTrail
Keywords: AWS
https://rhinosecuritylabs.com/aws/cloud-...loudtrail/
http://blog.zsec.uk/csv-dangers-mitigations/
Bluetooth
Posts / Examples
Reversing and exploiting BLE 4.0 communication
Keywords: BLE, Bluetooth
http://payatu.com/reversing-exploiting-b...unication/
How to capture Bluetooth packets on Android 4.4
Keywords: BLE, Bluetooth, Android
https://www.nowsecure.com/blog/2014/02/0...droid-4-4/
This Is Not a Post About BLE, Introducing BLEAH
Keywords: BLE, Bluetooth
https://www.evilsocket.net/2017/09/23/Th...ing-BLEAH/
Desktop apps / Binaries
Information
Posts / Examples
XSS to RCE in Atlassian Hipchat
Keywords: RCE, XSS, Desktop, Electron
https://maustin.net/2015/11/12/hipchat_rce.html
Modern Alchemy: Turning XSS into RCE
Keywords: RCE, XSS, Desktop, Electron
https://blog.doyensec.com/2017/08/03/ele...urity.html
Tools
Directory/path traversal
Information
Directory Traversal Checklist
Keywords: checklist, path traversal, directory traversal
● 16 bit Unicode encoding:
● = %u002e, / = %u2215, \ = %u2216
● Double URL encoding:
●. = %252e, / = %252f, \ = %255c
● UTF-8 Unicode encoding:
●. = %c0%2e, %e0%40%ae, %c0ae, / = %c0%af, %e0%80%af, %c0%2f, \ = %c0%5c, %c0%80%5c
Django / Python
Information
Posts / Examples
Exploring server-side template injection in Flask Jinja2
Keywords: Flask, Jinja2
https://nvisium.com/blog/2016/03/09/expl...sk-jinja2/
Injecting Flask
Keywords: Flask
https://nvisium.com/blog/2015/12/07/injecting-flask/
Uber 遠端代碼執行- Uber.com Remote Code Execution via Flask Jinja2 Template Injection
Keywords: Flask, Jinja2
http://blog.orange.tw/2016/04/bug-bounty...ode_7.html
Tools
Ethereum
Posts / Examples
Thinking About Smart Contract Security
https://blog.ethereum.org/2016/06/19/thi...-security/
Exploiting
Information / Training
Linux Heap Exploitation Intro Series: Used and Abused – Use After Free
Keywords: use after free
https://sensepost.com/blog/2017/linux-he...fter-free/
Return oriented programming
Keywords: ROP, training
https://ropemporium.com/
Hunting In Memory
Keywords: shellcode injection, reflective DLL injection, memory module, process and module hollowing, Gargoyle (ROP/APC)
https://www.endgame.com/blog/technical-b...ing-memory
File upload / image upload
Posts / Examples
forum.getmonero.org Shell upload
Keywords: image upload, forum, php, shell, exif
https://hackerone.com/reports/357858
Google Cloud Platform
Tools
AWS pwn
Keywords: AWS
https://github.com/dagrz/aws_pwn
Google web toolkit (GWT)
From Serialized to Shell :: Auditing Google Web Toolkit
Keywords: GWT, RCE, serialization
https://srcincite.io/blog/2017/04/27/fro...olkit.html
HTTP Headers
Practical HTTP Host header attacks
Keywords: HTTP Headers, Host, cache poisoning
http://www.skeletonscribe.net/2013/05/pr...tacks.html
HTTP request smuggling
HTTP Desync Attacks: Request Smuggling Reborn
Keywords: smuggling, HTTP pipelining
https://portswigger.net/research/http-de...ing-reborn
iOS
Information / Tips
“Easy network monitoring on non jailbroken iOS:
1/ connect your iOS device to your macOS via USB
2/ rvictl -s <UDID]
3/ tcpdump|wireshark -i rvi0”
IoT / Hardware
Posts / Examples
Philips Hue Reverse Engineering (BH Talk ‘A Lightbulb Worm?’)
Keywords: Philips hue, IoT, Zigbee
http://colinoflynn.com/2016/08/philips-h...-hat-2016/
A Red Team Guide for a Hardware Penetration Test: Part 1
Keywords: Hardware, router, iot
https://adam-toscher.medium.com/a-red-te...14692da9a1
Tools
JWT (Json Web Token)
Information
JWT (JSON Web Token) (in)security
Keywords: JWT, json web tokens
https://research.securitum.com/jwt-json-...-security/
Posts / Examples
Critical Vulnerability Uncovered in JSON Encryption
Keywords: JWT, json
http://blogs.adobe.com/security/2017/03/...ption.html
Tools
LFI/RFI
Information
https://highon.coffee/blog/lfi-cheat-sheet/
https://www.hackthis.co.uk/articles/shel...elfenviron
https://blog.g0tmi1k.com/2012/02/kioptri...ocal-file/
Posts / Examples
LOCAL FILE READ VIA XSS IN DYNAMICALLY GENERATED PDF
Keywords: XSS, LFI, pdf generator, pdf
http://www.noob.ninja/2017/11/local-file...cally.html
PHP Remote File Inclusion command shell using data://
Keywords: PHP, RFI, LFI, URI
https://www.idontplaydarts.com/2011/03/p...ta-stream/
NodeJS / Javascript server-side
Posts / Examples
[demo.paypal.com] Node.js code injection (RCE)
Keywords: Paypal, Node, NodeJS, RCE
http://artsploit.blogspot.com.es/2016/08/pprce2.html
Exploiting Node.js deserialization bug for Remote Code Execution
Keywords: Node, NodeJS, RCE
https://opsecx.com/index.php/2017/02/08/...execution/
OAUTH
Information
Starting with OAuth 2.0 – Security Check && Secure OAuth 2.0: What Could Possibly Go Wrong?
Keywords: OAuth
https://www.securing.pl/en/starting-with...index.html
https://www.securing.pl/en/secure-oauth-...index.html
Posts / Examples
Login CSRF + Open Redirect -] Account Takeover
Keywords: Uber, CSRF, account takeover, Oauth theft
http://ngailong.com/uber-login-csrf-open...-takeover/
Tools
Open redirects
Information
Open Url Redirects
Keywords: open redirect, location
https://zseano.com/tutorials/1.html
Posts / Examples
Airbnb – Chaining Third-Party Open Redirect into Server-Side Request Forgery (SSRF) via LivePerson Chat
Keywords: SSRF
http://buer.haus/2017/03/09/airbnb-chain...rson-chat/
Powershell / Windows CMD
Information
15 Ways to Bypass the PowerShell Execution Policy
Keywords: Powershell, policy, bypass
https://blog.netspi.com/15-ways-to-bypas...on-policy/
DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques
Keywords: cmd.exe, obfuscation, windows
https://www.fireeye.com/content/dam/fire...report.pdf
Physical attacks / USB / HARDWARE
Information
Posts / Examples
Real-world Rubber Ducky attacks with Empire stagers
Keywords: Empire, Rubber Ducky, USB
https://www.sc0tfree.com/sc0tfree-blog/o...re-stagers
Red team exercises
Information
Red team tips
Keywords: red team, tips
https://vincentyiu.co.uk/red-team-tips/
Posts / Examples
From APK to Golden Ticket
Keywords: red team, apk, golden ticket
https://docs.google.com/document/d/1XWzl...zyxPfyW4GQ
Restricted shells
Information
Escape From SHELLcatraz - Breaking Out of Restricted Unix Shells
Keywords: shell escapes, restricted shell
https://speakerdeck.com/knaps/escape-fro...nix-shells
Restricted Linux Shell Escaping Techniques
Keywords: shell escapes, restricted shell
https://fireshellsecurity.team/restricte...echniques/
RCE
Information
Server-side Template injection / SSTI
Keywords: template, Mako, Jinja, Twig, Smarty
https://web-in-security.blogspot.co.uk/2...sheet.html
XXE payloads
Keywords: XXE, payloads, injection
https://gist.github.com/staaldraad/01415b990939494879b4
Exploitation: XML External Entity (XXE) Injection
Keywords: XXE
https://depthsecurity.com/blog/exploitat...-injection
XXE: How to become a Jedi
Keywords: XXE
https://www.slideshare.net/ssuserf09cba/...ome-a-jedi
Hunting in the Dark - Blind XXE
Keywords: XXE, blind
https://blog.zsec.uk/blind-xxe-learning/amp/
Playing with Content-Type – XXE on JSON Endpoints
Keywords: XXE, json, content-type
https://blog.netspi.com/playing-content-...endpoints/
XML Vulnerabilities and Attacks cheatsheet
Keywords: XXE, Cheatsheet
https://gist.github.com/mgeeky/4f726d3b3...19c9004870
Posts / Examples
XML External Entity Injection in Jive-n (CVE-2018-5758)
Keywords: XXE, Word, DTD
https://rhinosecuritylabs.com/research/x...2018-5758/
Cheatsheets (to be cleaned)
All in one References / Full blogs/sites
http://pwnwiki.io/#!index.md
https://jivoi.github.io/2015/07/01/pente...nd-tricks/
https://philippeharewood.com/
OSCP Reviews
http://www.abatchy.com/2017/03/how-to-pr...-noob.html
https://www.securitysift.com/offsec-pwb-oscp/
Enumeration Cheatsheet
https://highon.coffee/blog/nmap-cheat-sheet/
https://highon.coffee/blog/penetration-t...eat-sheet/
http://www.0daysecurity.com/penetration-...ation.html
Privilege Escalation
https://blog.g0tmi1k.com/2011/08/basic-l...scalation/
https://github.com/rebootuser/LinEnum
https://www.securitysift.com/download/li...checker.py
https://github.com/PenturaLabs/Linux_Exploit_Suggester
https://pentest.blog/windows-privilege-e...entesters/
https://www.youtube.com/watch?v=kMG8IsCohHA
http://www.fuzzysecurity.com/tutorials/16.html
https://toshellandback.com/2015/11/24/ms-priv-esc/
https://github.com/51x/WHP
https://isc.sans.edu/diary/Windows+Comma...+WMIC/1229
Abusing SUDO (Linux Privilege Escalation)
http://touhidshaikh.com/blog/?p=790
Reverse Shell Cheatsheet
https://www.phillips321.co.uk/2012/02/05...eat-sheet/
https://highon.coffee/blog/reverse-shell-cheat-sheet/
http://pentestmonkey.net/cheat-sheet/she...heat-sheet
Get TTY shell
https://blog.ropnop.com/upgrading-simple...tive-ttys/
https://netsec.ws/?p=337
Buffer Overflow
https://www.corelan.be/index.php/2009/07...overflows/
http://netsec.ws/?p=180
Msfvenom Cheatsheet
http://security-geek.in/2016/09/07/msfve...eat-sheet/
Porting Metasploit Exploits
https://netsec.ws/?p=262
Port forwarding & Pivoting
https://artkond.com/2017/03/23/pivoting-guide/
http://atropineal.com/2016/11/18/pivotin...oxychains/
http://netsec.ws/?p=278
Client-Side Attacks
https://www.offensive-security.com/metas...-exploits/
Practice
https://www.hackthebox.eu/
https://www.vulnhub.com/
https://exploit-exercises.com/
https://shellterlabs.com/en/
Information
Vulnerabilities knowledge database
https://portswigger.net/kb/issues
JSON Hijacking
Keywords: JSON, hijacking
https://haacked.com/archive/2009/06/25/j...king.aspx/
Compilation of Facebook bug bounty writeups
Keywords: Facebook, compilation, writeup, bug bounty
https://www.facebook.com/notes/phwd/face...202701640/
Post / Examples
How I Hacked Facebook, and Found Someone's Backdoor Script
Keywords: SQLi, Facebook, RCE
http://devco.re/blog/2016/04/21/how-I-ha...t-eng-ver/
How to Detect HTTP Parameter Pollution Attacks
https://www.acunetix.com/blog/whitepaper...pollution/
Active Directory
Information
A Red Teamer’s Guide to GPOs and OUs
Keywords: AD, red team, group policy
https://wald0.com/?p=179
Abusing GPO Permissions
Keywords: AD, red team, GPO, group policy
https://blog.harmj0y.net/redteaming/abus...rmissions/
https://www.harmj0y.net/blog/redteaming/...rmissions/]
Posts / Examples
Kerberoasting Without Mimikatz
Keywords: Kerberos, AD
https://blog.harmj0y.net/blog/powershell...t-mimikatz
Android
Posts / Examples
Breaking The Facebook For Android Application
Keywords: Android, deeplink
https://ash-king.co.uk/facebook-bug-bounty-09-18.html
Hacking android apps with Frida I
Keywords: Frida, Android, DBI
https://www.codemetrix.net/hacking-andro...h-frida-1/
Hacking a game to learn FRIDA basics (Pwn Adventure 3)
Keywords: Frida, Android, game hacking
https://x-c3ll.github.io/posts/Frida-Pwn-Adventure-3/
Authentication / Authorization
Posts / Examples
Gaining access to private topics using quoting feature
Keywords: Discourse, authorization bypass, forum
https://hackerone.com/reports/312647
Getting any Facebook user's friend list and partial payment card details
Keywords: Facebook, authorization, GraphQL
https://www.josipfranjkovic.com/blog/fac...tcard-leak
AWS
Information
AWS Post Exploitation – Part 1
Keywords: aws, aws-cli
https://cloudsecops.com/aws-post-exploitation-part-1/
EC2 - Instance Metadata and User Data
Keywords: EC2
http://docs.aws.amazon.com/AWSEC2/latest...adata.html
How to perform S3 domain takeover
Keywords: S3, domain takeover
S3 bucket policy:
Código:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::exampledomain.com/*"
]
}
]
}Posts / Examples
Tools
AWS pwn
Keywords: AWS
https://github.com/dagrz/aws_pwn
Scout2 - Security auditing tool for AWS environments
Keywords: AWS, Scout2, NCC
https://github.com/nccgroup/Scout2
Zeus - AWS Auditing & Hardening Tool
Keywords: AWS, hardening
https://github.com/DenizParlak/Zeus
https://github.com/RhinoSecurityLabs/pacu
https://github.com/andresriancho/nimbostratus
https://github.com/Ucnt/aws-s3-bruteforce
https://github.com/JR0ch17/S3Cruze
CORS
Information
HTTP access control (CORS)
Keywords: CORS
https://developer.mozilla.org/en-US/docs...ntrol_CORS
Posts / Examples
Exploiting CORS Misconfigurations for Bitcoins and Bounties
Keywords: CORS
http://blog.portswigger.net/2016/10/expl...s-for.html
Pre-domain wildcard CORS Exploitation
Keywords: CORS
https://medium.com/@arbazhussain/pre-dom...6ac1d4bd30
Crypto
Information
https://sites.google.com/site/cryptocrackprogram
https://r12a.github.io/uniview
https://github.com/nccgroup/featherduster
Posts / Examples
CBC "cut and paste" attack may cause Open Redirect (even XSS)
Keywords: CBC, crypto, redirect, token
https://hackerone.com/reports/126203
CSRF / SOP / CSP
Information
Authoritative guide to CORS (Cross-Origin Resource Sharing) for REST APIs
Keywords: CSRF
https://www.moesif.com/blog/technical/co...REST-APIs/
Posts / Examples
Exploiting CSRF on JSON endpoints with Flash and redirects
Keywords: CSRF, JSON
https://blog.appsecco.com/exploiting-csr...1d4ad6b31b
CSRF in 'set.php' via age causes stored XSS
Keywords: Rockstar, CSRF, XSS
https://hackerone.com/reports/152013
Plain text considered harmful: A cross-domain exploit
Keywords: SOP, JSONP, CSRF, Javascript
http://balpha.de/2013/02/plain-text-cons...n-exploit/
Bypass Same Origin Policy - BY-SOP (Challenge + explanations)
Keywords: SOP
https://github.com/mpgn/ByP-SOP/
Tools
Cloud (generic)
Posts / Examples
Hacking the Cloud
Keywords: Azure, AWS, Active Directory (AD)
https://adsecurity.org/wp-content/upload...-Final.pdf
Bypassing and exploiting Bucket Upload Policies and Signed URLs
Keywords: buckets, AWS, Google Cloud (GCP)
https://labs.detectify.com/2018/08/02/by...gned-urls/
Csv injection
Information
Posts / Examples
Comma separated vulnerabilities
Keywords: Openoffice, Libreoffice, Excel, export to csv
https://www.contextis.com/resources/blog...abilities/
Everything about the CSV Excel Macro Injection
Keywords: Excel, macro injection
http://blog.securelayer7.net/how-to-perf...injection/
Exploiting ‘Export as CSV’ functionality:The road to CSV Injection
Keywords: export as csv
http://www.tothenew.com/blog/csv-injection/
Cloud Security Risks (P2): CSV Injection in AWS CloudTrail
Keywords: AWS
https://rhinosecuritylabs.com/aws/cloud-...loudtrail/
http://blog.zsec.uk/csv-dangers-mitigations/
Bluetooth
Posts / Examples
Reversing and exploiting BLE 4.0 communication
Keywords: BLE, Bluetooth
http://payatu.com/reversing-exploiting-b...unication/
How to capture Bluetooth packets on Android 4.4
Keywords: BLE, Bluetooth, Android
https://www.nowsecure.com/blog/2014/02/0...droid-4-4/
This Is Not a Post About BLE, Introducing BLEAH
Keywords: BLE, Bluetooth
https://www.evilsocket.net/2017/09/23/Th...ing-BLEAH/
Desktop apps / Binaries
Information
Posts / Examples
XSS to RCE in Atlassian Hipchat
Keywords: RCE, XSS, Desktop, Electron
https://maustin.net/2015/11/12/hipchat_rce.html
Modern Alchemy: Turning XSS into RCE
Keywords: RCE, XSS, Desktop, Electron
https://blog.doyensec.com/2017/08/03/ele...urity.html
Tools
Directory/path traversal
Information
Directory Traversal Checklist
Keywords: checklist, path traversal, directory traversal
● 16 bit Unicode encoding:
● = %u002e, / = %u2215, \ = %u2216
● Double URL encoding:
●. = %252e, / = %252f, \ = %255c
● UTF-8 Unicode encoding:
●. = %c0%2e, %e0%40%ae, %c0ae, / = %c0%af, %e0%80%af, %c0%2f, \ = %c0%5c, %c0%80%5c
Django / Python
Information
Posts / Examples
Exploring server-side template injection in Flask Jinja2
Keywords: Flask, Jinja2
https://nvisium.com/blog/2016/03/09/expl...sk-jinja2/
Injecting Flask
Keywords: Flask
https://nvisium.com/blog/2015/12/07/injecting-flask/
Uber 遠端代碼執行- Uber.com Remote Code Execution via Flask Jinja2 Template Injection
Keywords: Flask, Jinja2
http://blog.orange.tw/2016/04/bug-bounty...ode_7.html
Tools
Ethereum
Posts / Examples
Thinking About Smart Contract Security
https://blog.ethereum.org/2016/06/19/thi...-security/
Exploiting
Information / Training
Linux Heap Exploitation Intro Series: Used and Abused – Use After Free
Keywords: use after free
https://sensepost.com/blog/2017/linux-he...fter-free/
Return oriented programming
Keywords: ROP, training
https://ropemporium.com/
Hunting In Memory
Keywords: shellcode injection, reflective DLL injection, memory module, process and module hollowing, Gargoyle (ROP/APC)
https://www.endgame.com/blog/technical-b...ing-memory
File upload / image upload
Posts / Examples
forum.getmonero.org Shell upload
Keywords: image upload, forum, php, shell, exif
https://hackerone.com/reports/357858
Google Cloud Platform
Tools
AWS pwn
Keywords: AWS
https://github.com/dagrz/aws_pwn
Google web toolkit (GWT)
From Serialized to Shell :: Auditing Google Web Toolkit
Keywords: GWT, RCE, serialization
https://srcincite.io/blog/2017/04/27/fro...olkit.html
HTTP Headers
Practical HTTP Host header attacks
Keywords: HTTP Headers, Host, cache poisoning
http://www.skeletonscribe.net/2013/05/pr...tacks.html
HTTP request smuggling
HTTP Desync Attacks: Request Smuggling Reborn
Keywords: smuggling, HTTP pipelining
https://portswigger.net/research/http-de...ing-reborn
iOS
Information / Tips
“Easy network monitoring on non jailbroken iOS:
1/ connect your iOS device to your macOS via USB
2/ rvictl -s <UDID]
3/ tcpdump|wireshark -i rvi0”
IoT / Hardware
Posts / Examples
Philips Hue Reverse Engineering (BH Talk ‘A Lightbulb Worm?’)
Keywords: Philips hue, IoT, Zigbee
http://colinoflynn.com/2016/08/philips-h...-hat-2016/
A Red Team Guide for a Hardware Penetration Test: Part 1
Keywords: Hardware, router, iot
https://adam-toscher.medium.com/a-red-te...14692da9a1
Tools
JWT (Json Web Token)
Information
JWT (JSON Web Token) (in)security
Keywords: JWT, json web tokens
https://research.securitum.com/jwt-json-...-security/
Posts / Examples
Critical Vulnerability Uncovered in JSON Encryption
Keywords: JWT, json
http://blogs.adobe.com/security/2017/03/...ption.html
Tools
LFI/RFI
Information
https://highon.coffee/blog/lfi-cheat-sheet/
https://www.hackthis.co.uk/articles/shel...elfenviron
https://blog.g0tmi1k.com/2012/02/kioptri...ocal-file/
Posts / Examples
LOCAL FILE READ VIA XSS IN DYNAMICALLY GENERATED PDF
Keywords: XSS, LFI, pdf generator, pdf
http://www.noob.ninja/2017/11/local-file...cally.html
PHP Remote File Inclusion command shell using data://
Keywords: PHP, RFI, LFI, URI
https://www.idontplaydarts.com/2011/03/p...ta-stream/
NodeJS / Javascript server-side
Posts / Examples
[demo.paypal.com] Node.js code injection (RCE)
Keywords: Paypal, Node, NodeJS, RCE
http://artsploit.blogspot.com.es/2016/08/pprce2.html
Exploiting Node.js deserialization bug for Remote Code Execution
Keywords: Node, NodeJS, RCE
https://opsecx.com/index.php/2017/02/08/...execution/
OAUTH
Information
Starting with OAuth 2.0 – Security Check && Secure OAuth 2.0: What Could Possibly Go Wrong?
Keywords: OAuth
https://www.securing.pl/en/starting-with...index.html
https://www.securing.pl/en/secure-oauth-...index.html
Posts / Examples
Login CSRF + Open Redirect -] Account Takeover
Keywords: Uber, CSRF, account takeover, Oauth theft
http://ngailong.com/uber-login-csrf-open...-takeover/
Tools
Open redirects
Information
Open Url Redirects
Keywords: open redirect, location
https://zseano.com/tutorials/1.html
Posts / Examples
Airbnb – Chaining Third-Party Open Redirect into Server-Side Request Forgery (SSRF) via LivePerson Chat
Keywords: SSRF
http://buer.haus/2017/03/09/airbnb-chain...rson-chat/
Powershell / Windows CMD
Information
15 Ways to Bypass the PowerShell Execution Policy
Keywords: Powershell, policy, bypass
https://blog.netspi.com/15-ways-to-bypas...on-policy/
DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques
Keywords: cmd.exe, obfuscation, windows
https://www.fireeye.com/content/dam/fire...report.pdf
Physical attacks / USB / HARDWARE
Information
Posts / Examples
Real-world Rubber Ducky attacks with Empire stagers
Keywords: Empire, Rubber Ducky, USB
https://www.sc0tfree.com/sc0tfree-blog/o...re-stagers
Red team exercises
Information
Red team tips
Keywords: red team, tips
https://vincentyiu.co.uk/red-team-tips/
Posts / Examples
From APK to Golden Ticket
Keywords: red team, apk, golden ticket
https://docs.google.com/document/d/1XWzl...zyxPfyW4GQ
Restricted shells
Information
Escape From SHELLcatraz - Breaking Out of Restricted Unix Shells
Keywords: shell escapes, restricted shell
https://speakerdeck.com/knaps/escape-fro...nix-shells
Restricted Linux Shell Escaping Techniques
Keywords: shell escapes, restricted shell
https://fireshellsecurity.team/restricte...echniques/
RCE
Information
Server-side Template injection / SSTI
Keywords: template, Mako, Jinja, Twig, Smarty
https://web-in-security.blogspot.co.uk/2...sheet.html
XXE payloads
Keywords: XXE, payloads, injection
https://gist.github.com/staaldraad/01415b990939494879b4
Exploitation: XML External Entity (XXE) Injection
Keywords: XXE
https://depthsecurity.com/blog/exploitat...-injection
XXE: How to become a Jedi
Keywords: XXE
https://www.slideshare.net/ssuserf09cba/...ome-a-jedi
Hunting in the Dark - Blind XXE
Keywords: XXE, blind
https://blog.zsec.uk/blind-xxe-learning/amp/
Playing with Content-Type – XXE on JSON Endpoints
Keywords: XXE, json, content-type
https://blog.netspi.com/playing-content-...endpoints/
XML Vulnerabilities and Attacks cheatsheet
Keywords: XXE, Cheatsheet
https://gist.github.com/mgeeky/4f726d3b3...19c9004870
Posts / Examples
XML External Entity Injection in Jive-n (CVE-2018-5758)
Keywords: XXE, Word, DTD
https://rhinosecuritylabs.com/research/x...2018-5758/
Cheatsheets (to be cleaned)
All in one References / Full blogs/sites
http://pwnwiki.io/#!index.md
https://jivoi.github.io/2015/07/01/pente...nd-tricks/
https://philippeharewood.com/
OSCP Reviews
http://www.abatchy.com/2017/03/how-to-pr...-noob.html
https://www.securitysift.com/offsec-pwb-oscp/
Enumeration Cheatsheet
https://highon.coffee/blog/nmap-cheat-sheet/
https://highon.coffee/blog/penetration-t...eat-sheet/
http://www.0daysecurity.com/penetration-...ation.html
Privilege Escalation
https://blog.g0tmi1k.com/2011/08/basic-l...scalation/
https://github.com/rebootuser/LinEnum
https://www.securitysift.com/download/li...checker.py
https://github.com/PenturaLabs/Linux_Exploit_Suggester
https://pentest.blog/windows-privilege-e...entesters/
https://www.youtube.com/watch?v=kMG8IsCohHA
http://www.fuzzysecurity.com/tutorials/16.html
https://toshellandback.com/2015/11/24/ms-priv-esc/
https://github.com/51x/WHP
https://isc.sans.edu/diary/Windows+Comma...+WMIC/1229
Abusing SUDO (Linux Privilege Escalation)
http://touhidshaikh.com/blog/?p=790
Reverse Shell Cheatsheet
https://www.phillips321.co.uk/2012/02/05...eat-sheet/
https://highon.coffee/blog/reverse-shell-cheat-sheet/
http://pentestmonkey.net/cheat-sheet/she...heat-sheet
Get TTY shell
https://blog.ropnop.com/upgrading-simple...tive-ttys/
https://netsec.ws/?p=337
Buffer Overflow
https://www.corelan.be/index.php/2009/07...overflows/
http://netsec.ws/?p=180
Msfvenom Cheatsheet
http://security-geek.in/2016/09/07/msfve...eat-sheet/
Porting Metasploit Exploits
https://netsec.ws/?p=262
Port forwarding & Pivoting
https://artkond.com/2017/03/23/pivoting-guide/
http://atropineal.com/2016/11/18/pivotin...oxychains/
http://netsec.ws/?p=278
Client-Side Attacks
https://www.offensive-security.com/metas...-exploits/
Practice
https://www.hackthebox.eu/
https://www.vulnhub.com/
https://exploit-exercises.com/
https://shellterlabs.com/en/