2023-08-31 12:30:24 +03:00
# Web Hacking + Bug Bounty Tricks
2023-09-07 10:39:57 +03:00
![5829442 ](https://github.com/Mehdi0x90/Web_Hacking/assets/17106836/5ffcc3e2-3cc0-4327-b5f9-00c58f524c6b )
2023-09-18 09:11:31 +03:00
These are my **Bug Bounty / Pentest** notes that I have gathered from various sources.
2023-09-07 13:00:22 +03:00
You can also contribute.
[![Twitter URL ](https://img.shields.io/twitter/follow/mehdi0x90 )](https://twitter.com/mehdi0x90)
2023-08-28 10:48:00 +03:00
2023-09-15 16:21:48 +03:00
## List of Vulnerabilities
2023-08-28 10:57:19 +03:00
* [API Key Leak ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/API%20Key%20Leak.md )
2023-10-31 11:44:46 +03:00
* [CRLF Injection ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/CRLF.md )
2023-08-30 09:54:09 +03:00
* [CSRF ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/CSRF.md )
2023-09-18 09:08:16 +03:00
* [Cache Poisoning / Deception ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Cache%20Deception.md )
2023-09-15 17:01:05 +03:00
* [DOM Clobbering ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Dom%20Clobbering.md )
2023-09-19 13:53:27 +03:00
* [File Inclusion ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/File%20Inclusion.md )
2023-08-28 10:57:19 +03:00
* [File Upload ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/File%20Upload.md )
2023-10-03 16:59:56 +03:00
* [GraphQL ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/GraphQL.md )
2023-10-30 11:14:06 +03:00
* [Host Header Injection ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Host%20Header%20Injection.md )
2023-09-02 15:14:55 +03:00
* [IDOR ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/IDOR.md )
2023-09-15 16:26:38 +03:00
* [JWT ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/JWT.md )
2023-09-17 10:04:09 +03:00
* [NoSQLi ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/NoSQL%20Injection.md )
2023-08-28 10:57:19 +03:00
* [Open Redirect ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Open%20Redirect.md )
* [Race Condition ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Race%20Condition.md )
2023-12-04 10:21:36 +03:00
* [Reverse Tab Nabbing ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Reverse%20Tab%20Nabbing.md )
2023-09-17 10:04:09 +03:00
* [SQLi ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/SQL%20Injection.md )
2023-08-28 10:57:19 +03:00
* [SSRF ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/SSRF.md )
* [XSS ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/XSS.md )
2023-09-19 09:10:52 +03:00
* [XXE ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/XXE.md )
2023-08-28 10:57:19 +03:00
2024-02-10 10:06:47 +03:00
2023-09-15 16:21:48 +03:00
## Bypass Techniques
2023-09-15 16:23:15 +03:00
* [2FA / OTP Bypass ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/2FA_OTP_Bypass.md )
2023-09-15 16:21:48 +03:00
* [403 Bypass ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/403%20Bypass.md )
* [429 Bypass ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/429%20Bypass.md )
* [Captcha Bypass ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Captcha%20Bypass.md )
* [CSP Bypass ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/CSP%20Bypass.md )
2023-09-17 13:56:11 +03:00
* [Login Bypass ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Login%20Bypass.md )
2023-09-18 11:45:16 +03:00
* [Rate Limit Bypass ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Rate%20Limit%20Bypass.md )
2023-09-20 13:15:01 +03:00
* [Reset Password Bypass ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Reset%20Password%20Bypass.md )
* [WAF Detect / Bypass ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/WAF%20Bypass.md )
2023-09-18 11:45:16 +03:00
2023-09-15 16:21:48 +03:00
## Recon & OSINT Techniques
* [Recon ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Recon.md )
2023-09-16 16:19:16 +03:00
* [OSINT ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/OSINT.md )
2023-09-15 16:21:48 +03:00
2024-04-13 08:02:23 +03:00
2024-04-13 09:14:54 +03:00
## Cloud / Docker
2024-02-10 10:06:47 +03:00
* [General ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Cloud-General.md )
2024-02-10 10:45:26 +03:00
* [Info Gathering ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Cloud%20-%20Info%20Gathering.md )
* [AWS ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Cloud%20-%20AWS.md )
2024-02-10 12:18:08 +03:00
* [Azure ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Cloud%20-%20Azure.md )
* [GCP ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Cloud%20-%20GCP.md )
2024-04-13 09:16:46 +03:00
* [CDN - Domain Fronting ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Cloud%20-%20CDN%20-%20Domain%20Fronting.md )
2024-02-10 12:18:08 +03:00
* [Docker & Kubernetes ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Cloud%20-%20Docker%20%26%20Kubernetes.md )
2024-04-13 09:13:47 +03:00
* [Container Attacks ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Container%20Attacks.md )
2024-02-10 10:06:47 +03:00
2023-09-15 16:21:48 +03:00
## Top Tools & Extensions
2023-10-05 09:10:54 +03:00
* [inql ](https://github.com/doyensec/inql ) - Burp extension for advanced GraphQL testing
* [Logger++ ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/LoggerPlusPlus.md ) - Burp extension, a multithreaded logging extension for Burp Suit
* [param-miner ](https://github.com/PortSwigger/param-miner ) - Burp extension, identifies hidden, unlinked parameters
2024-06-14 13:13:05 +03:00
* [Oralyzer ](https://github.com/r0075h3ll/Oralyzer ) - a simple python script that probes for Open Redirection vulnerability in a website
* [SQLiPy Sqlmap Integration ](https://portswigger.net/bappstore/f154175126a04bfe8edc6056f340f52e ) - SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API
* [ParamSpider ](https://github.com/0xKayala/ParamSpider ) - Parameter miner for humans
* [gf ](https://github.com/tomnomnom/gf ) - A wrapper around grep to avoid typing common patterns
2023-09-15 16:21:48 +03:00
2023-10-01 08:42:29 +03:00
## Mindmaps for Bug Hunters
2023-09-27 16:30:49 +03:00
* [XXE ](mindmaps-pdf/XXE.pdf )
2023-10-01 08:45:15 +03:00
* [SSRF ](mindmaps-pdf/SSRF.pdf )
* [CORS ](mindmaps-pdf/CORS.pdf )
2023-09-27 16:32:14 +03:00
* [Prototype Pollution ](mindmaps-pdf/Prototype%20Pollution.pdf )
2023-09-26 08:46:10 +03:00
2023-12-22 13:36:39 +03:00
## Red Team Attacks
2024-01-01 13:13:48 +03:00
* [Insecure Interfaces and APIs - For Cloud ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Insecure%20Interfaces%20and%20APIs.md )
2024-01-01 14:06:58 +03:00
* [Privilege escalation EC2 ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Privilege%20escalation%20EC2.md )
2023-12-22 13:36:39 +03:00
* [SMTP ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Red%20Team%20-%20SMTP.md )
2023-12-02 09:58:22 +03:00
## Secure Coding
2023-12-04 15:06:03 +03:00
* [2FA ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%202FA.md )
2023-12-03 09:57:52 +03:00
* [Password Reset ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Password%20Reset.md )
2023-12-03 09:58:55 +03:00
* [Session Fixation ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Session%20Fixation.md )
2023-12-09 14:32:24 +03:00
* [Broken Object Level Authorization ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Broken%20Object%20Level%20Authorization.md )
* [Broken Authentication ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Broken%20Authentication.md )
* [Broken Object Property Level Authorization ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Broken%20Object%20Property%20Level%20Authorization.md )
2023-12-10 14:11:45 +03:00
* [Unrestricted Resource Consumption ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Unrestricted%20Resource%20Consumption.md )
2023-12-10 14:46:26 +03:00
* [Broken Function Level Authorization ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Broken%20Function%20Level%20Authorization.md )
2023-12-15 16:40:33 +03:00
* [Unrestricted Access to Sensitive Business Flows ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Unrestricted%20Access%20to%20Sensitive%20Business%20Flows.md )
2023-12-16 09:34:13 +03:00
* [Server Side Request Forgery ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Server%20Side%20Request%20Forgery.md )
2023-12-16 09:52:20 +03:00
* [Security Misconfiguration ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Security%20Misconfiguration.md )
2023-12-16 10:22:38 +03:00
* [Improper Inventory Management ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Improper%20Inventory%20Management.md )
2023-12-16 10:41:15 +03:00
* [Unsafe Consumption of APIs ](https://github.com/Mehdi0x90/Web_Hacking/blob/main/Secure%20Coding%20-%20Unsafe%20Consumption%20of%20APIs.md )
2023-10-01 08:42:29 +03:00
2023-09-17 13:56:11 +03:00
-----
*All content of this repository will always be updated...*