Slack Archives 💎

Blogs

This is an archive of links shared in slack channel.

RCE (Remote Code Execution)

• https://www.hackerone.com/blog/how-to-command-injections
• https://medium.com/@th3g3nt3l/how-i-got-5500-from-yahoo-for-rce-92fffb7145e6
• http://www.hackingarticles.in/beginner-guide-os-command-injection/
• http://www.afolgado.com/2017/06/10/phpcommandiargumenti/

XSS (Cross Site Scripting)

• http://zhchbin.github.io/2016/09/10/A-Valuable-XSS/
• http://brutelogic.com.br
• http://www.sxcurity.pro/bandcamp-stored-xss.html

CSRF (Cross Site Request Forgery)

• https://whitton.io/articles/messenger-site-wide-csrf/

SSRF (Server Side Request Forgery)

• https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
• http://thesecuritynews.com/topics/server-side-request-forgery-ssrf/
• https://github.com/cujanovic/SSRF-Testing/
• https://www.bishopfox.com/blog/2015/04/vulnerable-by-design-understanding-server-side-request-forgery/
• https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit

Application Logic

Race conditions

• https://www.josipfranjkovic.com/blog/race-conditions-on-web
• https://hackerone.com/reports/220445

Rate Limits

Open Redirect

IDOR (Insecure Direct Object Reference)

• http://www.pranavhivarekar.in/2016/06/23/facebooks-bug-delete-any-video-from-facebook/
• http://www.rohk.xyz/uber-uuid/

XXE (XML External Entity Injection/Processing)

• https://blog.zsec.uk/blind-xxe-learning/
• https://www.nds.rub.de/media/nds/arbeiten/2015/11/04/spaeth-dtd_attacks.pdf

LFI / RFI (Local/Remote File Inclusion)

• http://www.sxcurity.pro/lfi-2-rce-zip.html
• https://shahmeeramir.com/traversing-the-path-to-5000-in-help-33750808704d
• https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/

SQLi

• https://securityonline.info/sql-injection-user-agent-injection-attack/

API

OAuth / SAML

• http://philippeharewood.com/swiping-facebook-official-access-tokens/
• https://whitton.io/articles/obtaining-tokens-outlook-office-azure-account/
• https://ngailong.wordpress.com/2017/08/07/uber-login-csrf-open-redirect-account-takeover/
• http://www.economyofmechanism.com/github-saml.html#github-saml

CORs / CSP

• http://web-in-security.blogspot.co.uk/2017/07/cors-misconfigurations-on-large-scale.html
• http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-via-wildcard-subdomains/
• https://bugbountypoc.com/exploiting-cross-origin-resource-sharing/
• http://www.sxcurity.pro/2017/11/27/tricky-CORS/

Subdomain Takeover

Serialization / Deserialization

• https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
• https://github.com/CoalfireLabs/java_deserialization_exploits
• https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
• https://bling.kapsi.fi/blog/jvm-deserialization-broken-classldr.html
• http://www.afolgado.com/2017/06/10/phpcommandiargumenti/

Miscellaneous

Other Awesome Resources

• https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640
• https://www.torontowebsitedeveloper.com/hacking-resources
• https://github.com/swisskyrepo/PayloadsAllTheThings
• https://github.com/djadmin/awesome-bug-bounty
• https://github.com/enaqx/awesome-pentest/
• https://github.com/ngalongc/bug-bounty-reference
• https://forum.bugcrowd.com/t/researcher-resources-bounty-bug-write-ups/1137

Tools

Discovery

• https://github.com/aboul3la/Sublist3r
• https://github.com/infosec-au/altdns
• https://github.com/anshumanbh/brutesubs
• https://github.com/ebelties/DomainWatch

Recon

Mobile

• https://ibotpeaches.github.io/Apktool/
• https://sourceforge.net/projects/dex2jar/
• https://github.com/Konloch/bytecode-viewer
• https://www.frida.re/
• https://pentestbox.org/
• https://mobilesecuritywiki.com/

Miscellaneous

• https://github.com/bugcrowd/HUNT
• https://github.com/jordanpotti/AWSBucketDump

Other Awesome Resources

• https://bugbountyforum.com/tools/

CTF (Capture The Flag)

CTF Sites

• https://www.hackthebox.eu/en

CTF WriteUps

• https://github.com/ctfs
• https://medium.com/websec-ctf/websec-ctf-writeups-for-all-challenges-7452714477d2
• https://drigg3r.gitbooks.io/ctf-writeups-2017/
• https://zeta-two.com/ctf/2017/07/17/h1702-writeup.html
• https://aadityapurani.com/2017/07/30/bugs-bunny-ctf-writeups