9adb81e6d8 | ||
---|---|---|
AWS Amazon Bucket S3 | ||
CRLF injection | ||
CSV injection | ||
CVE Shellshock Heartbleed Struts2 | ||
File Inclusion - Path Traversal | ||
Insecured source code management | ||
LDAP injection | ||
Methodology and Resources | ||
NoSQL injection | ||
OAuth | ||
Open redirect | ||
PHP juggling type | ||
PHP serialization | ||
Remote commands execution | ||
SQL injection | ||
SSRF injection | ||
Server Side Template injections | ||
Tar commands execution | ||
Traversal directory | ||
Upload insecure files | ||
Web cache deception | ||
XPATH injection | ||
XSS injection | ||
XXE injections | ||
.gitignore | ||
README.md |
README.md
Payloads All The Things
A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I <3 pull requests :)
Tools
- Kali Linux
- Web Developper
- Hackbar
- Burp Proxy
- Fiddler
- DirBuster
- GoBuster
- Knockpy
- SQLmap
- Nikto
- Nessus
- Recon-ng
- Wappalyzer
- Metasploit
Docker
-
docker pull remnux/metasploit
- docker-metasploit -
docker pull paoloo/sqlmap
- docker-sqlmap -
docker pull kalilinux/kali-linux-docker
official Kali Linux -
docker pull owasp/zap2docker-stable
- official OWASP ZAP -
docker pull wpscanteam/wpscan
- official WPScan -
docker pull infoslack/dvwa
- Damn Vulnerable Web Application (DVWA) -
docker pull danmx/docker-owasp-webgoat
- OWASP WebGoat Project docker image -
docker pull opendns/security-ninjas
- Security Ninjas -
docker pull ismisepaul/securityshepherd
- OWASP Security Shepherd -
docker-compose build && docker-compose up
- OWASP NodeGoat -
docker pull citizenstig/nowasp
- OWASP Mutillidae II Web Pen-Test Practice Application -
docker pull bkimminich/juice-shop
- OWASP Juice Shop
More resources
Book's list:
-
The Hacker Playbook 2: Practical Guide to Penetration Testing
-
Black Hat Python: Python Programming for Hackers and Pentesters
-
The Database Hacker's Handbook, David Litchfield et al., 2005
-
The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009
-
The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011
-
The Mobile Application Hackers Handbook by Dominic Chell et al., 2015
Blogs/Websites
- http://blog.zsec.uk/101-web-testing-tooling/
- https://blog.innerht.ml
- https://blog.zsec.uk
- https://www.exploit-db.com/google-hacking-database
- https://www.arneswinnen.net
- https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102
Youtube
- Hunting for Top Bounties - Nicolas Grégoire
- BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen
- Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén
Practice
- Root-Me
- Zenk-Security
- W3Challs
- NewbieContest
- Vulnhub
- The Cryptopals Crypto Challenges
- Penetration Testing Practice Labs
- alert(1) to win
- Hacksplaining
- HackThisSite
- PentesterLab : Learn Web Penetration Testing: The Right Way
Bug Bounty