diff --git a/docs/books.md b/docs/books.md index 2cb3604..b6c1622 100644 --- a/docs/books.md +++ b/docs/books.md @@ -1,4 +1,4 @@ -If you are a Begineer, i would suggest to start with below books +If you are a beginner, I would suggest to start with below books: * [The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws: Dafydd Stuttard, Marcus Pinto](https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/) * [OWASP Testing Guide V4](https://www.owasp.org/images/1/19/OTGv4.pdf) diff --git a/docs/frontend.md b/docs/frontend.md index 1747419..ff03d55 100644 --- a/docs/frontend.md +++ b/docs/frontend.md @@ -10,6 +10,7 @@ * [Xssing Web Part - 1](http://blog.rakeshmane.com/2016/11/xssing-web-part-1.html) * [Xssing Web Part - 2](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html) * [IronWASP - Open Source Advanced Web Security Testing Platform: Contexts and Cross-site Scripting - a brief intro](http://blog.ironwasp.org/2014/07/contexts-and-cross-site-scripting-brief.html) +* [Why isn't my injection firing, it looks perfect! - An XSS Troubleshooting Guide](https://mechatechsec.blogspot.com/2018/05/why-isnt-my-injection-firing-it-looks.html) ### Reflected XSS @@ -62,6 +63,7 @@ * [Minded Security Blog: DOM XSS in Google VRView library](https://blog.mindedsecurity.com/2018/04/dom-based-cross-site-scripting-in.html) * [#231053 XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog"](https://hackerone.com/reports/231053) * [#262230 Tinymce 2.4.0](https://hackerone.com/reports/262230) +* [DOM Based Cross Site Scripting or XSS of the Third Kind](http://www.webappsec.org/projects/articles/071105.shtml) ### Blind XSS @@ -82,6 +84,7 @@ * [nVisium/xssValidator: This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.](https://github.com/nVisium/xssValidator) * [mandatoryprogrammer/xssless: An automated XSS payload generator written in python.](https://github.com/mandatoryprogrammer/xssless) * [stamparm/DSXS: Damn Small XSS Scanner](https://github.com/stamparm/DSXS) +* [XSS Hunter](https://xsshunter.com/features) ## Content Security Policy(CSP) @@ -93,6 +96,11 @@ * [Bypassing CSP using polyglot JPEGs | Blog](https://portswigger.net/blog/bypassing-csp-using-polyglot-jpegs) * [Chrome XSS Auditor - SVG Bypass - Brute XSS](https://brutelogic.com.br/blog/chrome-xss-auditor-svg-bypass/) * [Neatly bypassing CSP](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa) +* [Content Security Policy Reference](https://content-security-policy.com/) +* [Content Security Policy - An Introduction - Scott Helme](https://scotthelme.co.uk/content-security-policy-an-introduction/) +* [Content Security Policy (CSP) Validator](https://www.cspvalidator.org/) +* [Content Security Policies Best Practices - NCCGroup](https://www.nccgroup.trust/globalassets/newsroom/us/news/documents/2013/csp_best_practices.pdf) +* [h3xStream's blog: Auditing CSP headers with Burp and ZAP](https://blog.h3xstream.com/2016/06/auditing-csp-headers-with-burp-and-zap.html) ### Burp Extensions @@ -119,6 +127,7 @@ * [#44146 Make API calls on behalf of another user (CSRF protection bypass)](https://hackerone.com/reports/44146) * [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack)](https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/) * [How I found a Remote Code Execution bug affecting Facebook's servers](https://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution) +* [Stealing CSRF tokens with XSS](https://digi.ninja/blog/xss_steal_csrf_token.php) ### JSON CSRF @@ -138,6 +147,7 @@ * [DOM based AngularJS sandbox escapes | Blog](https://portswigger.net/blog/dom-based-angularjs-sandbox-escapes) * [Angular JS Security Videos](https://www.youtube.com/playlist?list=PLhixgUqwRTjwJTIkNopKuGLk3Pm9Ri1sF) * [XSS without HTML: Client-Side Template Injection with AngularJS | Blog](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs) + ## React JS * [XSS via a spoofed React element](http://danlec.com/blog/xss-via-a-spoofed-react-element) @@ -191,6 +201,7 @@ ### Tools * [cure53/Flashbang: Project "Flashbang" - An open-source Flash-security helper](https://github.com/cure53/Flashbang) +* [CharCode Translator](http://www.jdstiles.com/java/cct.html) ## Dangling Markup @@ -228,10 +239,12 @@ * [RPO in Google Fusion Table](https://blog.innerht.ml/internet-explorer-has-a-url-problem/#rpoingooglefusiontable) ## CSS Injection + * [Testing for CSS Injection (OTG-CLIENT-005) - OWASP](https://www.owasp.org/index.php/Testing_for_CSS_Injection_(OTG-CLIENT-005)) * [Yahoo Login Protection Seal – Stored CSS Injection | Brett Buerhaus](https://buer.haus/2016/04/18/yahoo-login-protection-seal-stored-css-injection/) * [Exfiltration via CSS Injection – d0nut – Medium](https://medium.com/@d0nut/exfiltration-via-css-injection-4e999f63097d) * [dxa4481/cssInjection: Stealing CSRF tokens with CSS injection (without iFrames)](https://github.com/dxa4481/cssInjection) + ## ClickJacking * [Clickjackings in several Google Products](https://medium.com/@raushanraj_65039/google-clickjacking-6a04132b918a) diff --git a/docs/serversidesecurity.md b/docs/serversidesecurity.md index b5cc405..47f9ef1 100644 --- a/docs/serversidesecurity.md +++ b/docs/serversidesecurity.md @@ -64,11 +64,13 @@ * [Ok Google, Give Me All Your Internal DNS Information! – RCE Security](https://www.rcesecurity.com/2017/03/ok-google-give-me-all-your-internal-dns-information/) ### Tools + * [immunIT/XIP: XIP generates a list of IP addresses by applying a set of transformations used to bypass security measures e.g. blacklist filtering, WAF, etc.](https://github.com/immunIT/XIP) * [C-REMO/Obscure-IP-Obfuscator: Simple script you can use to convert and obscure any IP address of any host.](https://github.com/C-REMO/Obscure-IP-Obfuscator) * [tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in various servers](https://github.com/tarunkant/Gopherus) * [blazeinfosec/ssrf-ntlm: Proof of concept written in Python to show that in some situations a SSRF vulnerability can be used to steal NTLMv1/v2 hashes.](https://github.com/blazeinfosec/ssrf-ntlm) * [PayloadsAllTheThings/SSRF injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SSRF%20injection) + ### Cheatsheet/Payloads * [SSRF bible. Cheatsheet ](https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit) @@ -84,6 +86,14 @@ * [XPATH Injection - OWASP](https://www.owasp.org/index.php/XPATH_Injection) * [Top 10-2017 A4-XML External Entities (XXE) - OWASP](https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)) * [XML Security Cheat Sheet - OWASP](https://www.owasp.org/index.php/XML_Security_Cheat_Sheet) +* [XML Parser Evaluation ](https://web-in-security.blogspot.com/2016/03/xml-parser-evaluation.html) +* [DTD Cheat Sheet](https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html) +* [Security Implications of DTD Attacks Against a Wide Range of XML Parsers](https://www.nds.rub.de/media/nds/arbeiten/2015/11/04/spaeth-dtd_attacks.pdf) +* [XXE Cheatsheet – XML External Entity Injection](https://www.gracefulsecurity.com/xxe-cheatsheet/) +* [Generic XXE Detection](http://christian-schneider.net/GenericXxeDetection.html#main) +* [Exploitation: XML External Entity (XXE) Injection](https://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection) +* [Payload All The Things XXE](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection) +* [XML Vulnerabilities and Attacks cheatsheet](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870) ### Writeups @@ -117,6 +127,12 @@ * [Testing for Local File Inclusion - OWASP](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion) * [Testing Directory traversal/file include (OTG-AUTHZ-001) - OWASP](https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)) +* [Using php://filter for local file inclusion](https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/) +* [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/) +* [LFI Cheat Sheet](https://highon.coffee/blog/lfi-cheat-sheet/) +* [Directory Traversal, File Inclusion, and The Proc File System](https://blog.netspi.com/directory-traversal-file-inclusion-proc-file-system/) +* [LFI to shell – exploiting Apache access log](https://roguecod3r.wordpress.com/2014/03/17/lfi-to-shell-exploiting-apache-access-log/) +* [Exploiting PHP File Inclusion – Overview](https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/) ### Writeups @@ -134,12 +150,18 @@ ## SQL Injection ### Learning + * [SQLBolt - Learn SQL - Introduction to SQL](https://sqlbolt.com/) * [SQL Injection - OWASP](https://www.owasp.org/index.php/SQL_Injection) * [Blind SQL Injection - OWASP](https://www.owasp.org/index.php/Blind_SQL_Injection) * [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/) * [Testing for SQL Injection (OTG-INPVAL-005) - OWASP](https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)) * [SQL Injection Bypassing WAF - OWASP](https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF) +* [SQLInjection.net](http://www.sqlinjection.net/) +* [Exploiting A Tricky SQL Injection With sqlmap](http://pentestmonkey.net/blog/exploiting-a-tricky-sql-injection-with-sqlmap) +* [SQLMap Tamper Scripts (SQL Injection and WAF bypass) Tips](https://medium.com/@drag0n/sqlmap-tamper-scripts-sql-injection-and-waf-bypass-c5a3f5764cb3) +* [SQLMap Tamper Scripts (SQL Injection and WAF bypass)](https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423) +* [SQLi Without Quotes](https://eternalnoobs.com/sqli-without-quotes/) ### Writeups @@ -151,6 +173,7 @@ * [Exploiting a Boolean Based SQL Injection using Burp Suite Intruder – i break software](https://ibreak.software/2017/12/exploiting-a-boolean-based-sql-injection-using-burp-suite-intruder/) * [Beyond SQLi: Obfuscate and Bypass](https://www.exploit-db.com/papers/17934/) * [Orange: GitHub Enterprise SQL Injection](http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html) +* [Anatomy of a Hack: SQLi to Enterprise Admin](https://www.notsosecure.com/anatomy-of-a-hack-sqli-to-enterprise-admin/) ### Cheatsheet/Payloads @@ -170,8 +193,13 @@ * [Common JWT security vulnerabilities and how to avoid them | Connect2id](https://connect2id.com/products/nimbus-jose-jwt/vulnerabilities) * [JSON Web Token (JWT) Cheat Sheet for Java - OWASP](https://www.owasp.org/index.php/JSON_Web_Token_(JWT)_Cheat_Sheet_for_Java) * [How to Hack a Weak JWT Implementation with a Timing Attack](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9) +* [Stop using JWT for sessions](http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/) +* [Stop using JWT for sessions, part 2: Why your solution doesn't work](http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/) +* [Crafting your way through JSON Web Tokens](https://www.notsosecure.com/crafting-way-json-web-tokens/) +* [JWT Hacking 101](https://trustfoundry.net/jwt-hacking-101/) ### Writeups + * [How I got access to millions of [redacted] accounts - Bitquark](https://bitquark.co.uk/blog/2016/02/09/how_i_got_access_to_millions_of_redacted_accounts) * [Hacking JSON Web Tokens](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html) @@ -202,7 +230,9 @@ ## Mongo DB Injection ### Learning + * [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection) +* [Attacking MongoDB](http://blog.ptsecurity.com/2012/11/attacking-mongodb.html) ### Writeups @@ -217,6 +247,7 @@ * [codingo/NoSQLMap: Automated NoSQL database enumeration and web application exploitation tool.](https://github.com/codingo/NoSQLMap) * [PayloadsAllTheThings/NoSQL injection ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20injection) + ## Race Conditions ### Learning @@ -268,6 +299,7 @@ * [Omer Gil: Web Cache Deception Attack](https://omergil.blogspot.com/2017/02/web-cache-deception-attack.html) * [#260697 CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception)](https://hackerone.com/reports/260697) * [PayloadsAllTheThings/Web cache deception ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Web%20cache%20deception) + ## API Security * [REST Security Cheat Sheet - OWASP](https://www.owasp.org/index.php/REST_Security_Cheat_Sheet) @@ -299,11 +331,13 @@ * [GraphQL abuse: Bypass account level permissions through parameter smuggling](https://labs.detectify.com/2018/03/14/graphql-abuse/) ### Tools + * [doyensec/graph-ql: GraphQL Security Research Material](https://github.com/doyensec/graph-ql) ## Java Deserilization ### Learning + * [Deserialization of untrusted data - OWASP](https://www.owasp.org/index.php/Deserialization_of_untrusted_data) * [Deserialization Cheat Sheet - OWASP](https://www.owasp.org/index.php/Deserialization_Cheat_Sheet) * [Top 10-2017 A8-Insecure Deserialization - OWASP](https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization) @@ -335,6 +369,7 @@ ## Authentication Bypass ### Learning + * [Testing for Bypassing Authentication Schema (OTG-AUTHN-004) - OWASP](https://www.owasp.org/index.php/Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)) * [Top 10-2017 A2-Broken Authentication - OWASP](https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication) * [Authentication Cheat Sheet - OWASP](https://www.owasp.org/index.php/Authentication_Cheat_Sheet) @@ -376,11 +411,14 @@ * [Server-Side Template Injection | Blog](https://portswigger.net/blog/server-side-template-injection) * [Server-Side Template Injection:RCE for the modern webapp](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf) * [Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic | Can I Haz Security](http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic/) +* [Exploring SSTI in Flask/Jinja2](https://www.lanmaster53.com/2016/03/09/exploring-ssti-flask-jinja2/) +* [Exploring SSTI in Flask/Jinja2 - Part 2](https://www.lanmaster53.com/2016/03/11/exploring-ssti-flask-jinja2-part-2/) ### Tools * [epinna/tplmap: Server-Side Template Injection and Code Injection Detection and Exploitation Tool](https://github.com/epinna/tplmap) * [PayloadsAllTheThings/Server Side Template injections](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20injections) + ## WAF Bypass * [Web Application Firewall (WAF) Evasion Techniques – secjuice™ – Medium](https://medium.com/secjuice/waf-evasion-techniques-718026d693d8) @@ -389,7 +427,6 @@ * [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities | Brett Buerhaus](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) * [How to bypass libinjection in many WAF/NGWAF – Ivan Novikov – Medium](https://medium.com/@d0znpp/how-to-bypass-libinjection-in-many-waf-ngwaf-1e2513453c0f) - ## WebHooks Security * [Bypassing Payments Using Webhooks | Lightning Security](https://lightningsecurity.io/blog/bypassing-payments-using-webhooks/) @@ -430,6 +467,7 @@ * [PayloadsAllTheThings/PHP serialization ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/PHP%20serialization) ## Application Logic + * [Business logic vulnerability - OWASP](https://www.owasp.org/index.php/Business_logic_vulnerability) * [Testing for business logic - OWASP](https://www.owasp.org/index.php/Testing_for_business_logic) * [Google Exploit - Steal Account Login Email Addresses - Tom Anthony](http://www.tomanthony.co.uk/blog/google-exploit-steal-login-email-addresses/) @@ -438,6 +476,7 @@ ## Insecure Direct Object Reference(IDOR) ### Learning + * [Top 10 2013-A4-Insecure Direct Object References - OWASP](https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References) * [Testing for Insecure Direct Object References (OTG-AUTHZ-004) - OWASP](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)) * [How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities](https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/) @@ -467,7 +506,9 @@ * [cujanovic/CRLF-Injection-Payloads: Payloads for CRLF Injection](https://github.com/cujanovic/CRLF-Injection-Payloads/blob/master/CRLF-payloads.txt) * [PayloadsAllTheThings/CRLF injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CRLF%20injection) + ## Forgot Password Related Vulnerabilities + * [Forgot Password Cheat Sheet - OWASP](https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet) * [Full account Takeover via reset password function](https://medium.com/@khaled.hassan/full-account-takeover-via-reset-password-function-8b6ef15f346f)