Skip to content

Latest commit

 

History

History
executable file
·
5050 lines (4507 loc) · 552 KB

Web.md

File metadata and controls

executable file
·
5050 lines (4507 loc) · 552 KB
Raw

The Web, Web Applications & Browsers

Table of Contents

Standards & Technologies

Attacks & Techniques

  • To Do 2. backlog 3. TLS 4. HTTP2/3 5. XSS 6. XSSI 7. XXE

General

  • 101
    • Things to Know
      • OWASP Application Security Verification Standard
        • "The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications."
      • OWASP Top Ten Project
        • The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
      • The Website Obesity Crisis
      • XSS, CSRF, CSP, JWT, WTF? IDK ¯\_(ツ)_/¯ - Dominik Kundel(JSConf Iceland2018)
        • Robert'); DROP TABLE Students;-- The little Bobby Tables is embodying the classical fear of SQL injections when building web applications. However, SQL injections are just one aspect of things we need to worry about when building web applications. With the recent popularity of Angular, React and other Single Page Application frameworks we got more logic executing on the front-end create new problems and make you forget about others. In this talk you will learn about XSS, CSRF, CORS, JWT, HTTPS, SPAs, REST APIs and other weird abbreviations, how to protect yourself and your users from the new generation of Bobby Tables.
    • Articles
  • Browsers
    • Browser-2020
      • Things you can do with a browser in 2020
      • It's like, did no one read 'The Tangled Web: A Guide to Securing Modern Web Applications'? Or did they, and their take away was, 'Man, what a bunch of great ideas! Blinking text with no user control? Woah. I'm so on this.'.
      • My point is that it is 2020, and there is no equivalent to NoScript or UBlock Origin in any major browser. Despite this, I can have picture in picture video chats, while also connecting by bluetooth and USB, devices to the browser and having each tab color coded, along with the browser knowing my power level of my device, all according to standards.
      • It's 2020, still no equivalent of NoScript or UBlock Origin available by default in any of the major browsers.
        • Yet, I can share files with others, using a contextual menu depending on installed applications, or I can give my browser access to my insecure USB and Bluetooth devices, while it makes sure my battery isn't dead from the power consumption while the containing tabs for each webapp are properly color coded. 🤔
      • Google released a paper the day after I made this comment. I stand by my comment.
      • Oh, the Places You’ll Go! Finding Our Way Back from the Web Platform’sIll-conceived Jaunts - Artur Janc, Mike West(2020)
        • In this paper, we start from a scattered list of concrete grievances about the web platform based on informal discussions among browser and web security engineers. After reviewing the details of these issues, we work towards amodel of the root causes of the problems, categorizing them based on the type of risk they introduce to the platform. We then identify possible solutions for each class of issues, dividing them by the most effective approach to address it. In the end, we arrive at a general blueprint for backing out of these dead ends. We propose a three-pronged approach which includes changing web browser defaults, creating aslew of features for web authors to opt out of dangerous behaviors, and adding new security primitives. We then show how this approach can be practically applied to address each of the individual problems, providing a conceptual framework for solving unsafe legacy web platform behaviors.
    • How Browsers Work: Behind the scenes of modern web browsers - Tali Garsiel, Paul Irish(2011)

Standards & Technologies

API Stuff

  • Tools
    • Postman - chrome plugin
    • restclient - Firefox addon
    • Astra
      • REST API penetration testing is complex due to continuous changes in existing APIs and newly added APIs. Astra can be used by security engineers or developers as an integral part of their process, so they can detect and patch vulnerabilities early during development cycle. Astra can automatically detect and test login & logout (Authentication API), so it's easy for anyone to integrate this into CICD pipeline. Astra can take API collection as an input so this can also be used for testing apis in standalone mode.
    • mitmproxy2swagger
      • A tool for automatically converting mitmproxy captures to OpenAPI 3.0 specifications. This means that you can automatically reverse-engineer REST APIs by just running the apps and capturing the traffic.
    • REST-Attacker
      • REST-Attacker is an automated penetration testing framework for APIs following the REST architecture style. The tool's focus is on streamlining the analysis of generic REST API implementations by completely automating the testing process - including test generation, access control handling, and report generation - with minimal configuration effort. Additionally, REST-Attacker is designed to be flexible and extensible with support for both large-scale testing and fine-grained analysis.

Backend Processing Technologies

Browser Security

  • Exploiting
    • Smashing The Browser: From Vulnerability Discovery To Exploit
      • Goes from introducing a fuzzer to producing an IE11 0day
    • The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations
    • BeEF Browser Exploitation Framework
    • BeEF
      • Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
    • Browsers Gone Wild - Angelo Prado & Xiaoran Wang - BHAsia2015
      • In this talk, we will demonstrate and unveil the latest developments on browser specific weaknesses including creative new mechanisms to compromise confidentiality, successfully perform login and history detection, serve mixed content, deliver malicious ghost binaries without a C&C server, exploit cache/timing side channels to extract secrets from third-party domains, and leverage new HTML5 features to carry out more stealthy attacks. This is a practical presentation with live demos that will challenge your knowledge of the Same Origin Policy and push the limits of what is possible with today's web clients.

Cascading StyleSheets

HTTPS Certificates & Certificate Transparency

Content Management Systems

  • Agnostic
    • 101
    • Articles/Blogposts/Writeups
    • Papers
    • Tools
      • WhatWeb
        • WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
      • w3af
        • w3af: web application attack and audit framework, the open source web vulnerability scanner.
  • Adobe Experience Manager
    • 101
    • Articles/Blogposts/Writeups
    • Papers
    • Tools
      • aem-hacker
        • Tools to identify vulnerable Adobe Experience Manager (AEM) webapps.
  • ColdFusion
  • Drupal
  • Joomla
    • 101
    • Articles/Blogposts/Writeups
    • Papers
    • Tools
      • JoomScan
        • Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.
      • JScanner
        • Analyze target Joomla! installation using several different techniques.
      • JoomlaVS
        • JoomlaVS is a Ruby application that can help automate assessing how vulnerable a Joomla installation is to exploitation. It supports basic finger printing and can scan for vulnerabilities in components, modules and templates as well as vulnerabilities that exist within Joomla itself.
  • Sharepoint
    • 101
    • Articles/Blogposts/Writeups
    • Papers
    • Tools
      • Sparty - Sharepoint/Frontpage Auditing Tool
        • Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.
  • Wordpress
    • 101
    • Articles/Blogposts/Writeups
    • Papers
    • Tools
    • WPScan
      • WPScan is a black box WordPress vulnerability scanner.
    • WPSeku
      • Wordpress Security Scanner

Cookies & Tokens

  • Talks/Presentations/Videos
    • Baking Your Anomalous Cookies - Jim Allee(NolaCon2019)
      • I hacked Fortnite! Actually it was a vulnerable cookie found on several domains owned by Epic Games that allowed me to hijack traffic of users of their websites, steal session tokens and of course, BeEF hook em'. I will describe my journey from creating a custom cookie fuzzing tool (Anomalous Cookie) to help identify vulnerable cookies, to creating a framework for 'Cookie Baking'. Cookie Baking is the technique of creating or modifying a cookie in a users' local Cookie Jar (this includes stuffing with malicious payloads, affiliate tags, fuzz-strings and more). I will also provide insight into the Bug Bounty process, how Google responded to my request for them to protect local cookies at rest, and how I created WHID-Injected Cookies! ;)
    • Got Cookies? Exploiting Vulnerabilities in Cookie Based Authentication - Harsh Bothra(Mayhem2021 RTV)
      • Abstract: Cookies are a widely used way to enable authentication in many of the applications out there. Over time, there has been a lot of security implications in Cookie-Based Authentication and new methods such as token-based authentication has entered the picture. Although many modern applications are adapting Token-Based authentication, Cookie-Based Authentication is still alive and can be observed in the wild. In this talk, we will look at various attack scenarios that can be exploited in the wild if the application is using cookies for authentication, tracking, personalization, or some value reflections.

Content Security Policy (CSP)

Cross-Origin Resource Sharing (CORS)

Document Object Model(DOM)

  • 101
  • Articles/Blogposts/Presentations/Talks/Writeups
  • Talks & Presentations
    • Securing the DOM from the Bottom Up - Mike Samuel(BSides Cleveland2019)
      • 18 years have passed since Cross-Site Scripting (XSS) became the single most common security problem in web applications. Since then, numerous efforts have been proposed to detect, fix or mitigate it, but these piecemeal efforts have not combined to make it easy to produce XSS-free code. This talk explains how Google's security team has achieved a high-level of safety against XSS and related problems by integrating tools to make it easier for developers to produce secure software than vulnerable, and to bound the portion of a codebase that could contribute to a vulnerability. We will show how this works in practice and end with advice on how to achieve the same results on widely-used, open-source stacks and new browser mechanisms that will make it much easier to achieve high-levels of security with good developer experience.

Edge Side Include(esi)

Electron

Encoding

FIDO2/CTAP

Flash/SWF

GhostScript

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Tools

GraphQL

Hyper Text Markup Language HTML

Hyper Text Transport Protocol (HTTP)

Imagemagick

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Tools

Java & related

JavaScript

JS Frameworks

.NET-based Frameworks

Python-based Frameworks

  • General
    • the_storm/ Unexpected Execution: Wild Ways Code Execution can Occur in Python - Graham Bleaney(PyConUS2021
      • Code
      • Every Python user knows that you can execute code using eval or exec, but what about yaml or str.format? This talk will take you on a walk through all the weird and wild ways that you can achieve code execution on a Python server (and trust me, I didn’t spoil the surprise by putting the weirdest ones in the description). The talk should be equal parts practical and entertaining as we work through both real examples of code execution vulnerabilities found in running code as well as absurd remote code execution exploits. The talk will end on a practical note by explaining how Facebook detects and prevents the exploit vectors we discussed, using an open source Python Static Analyzer called Pysa.
  • Flask
    • Articles/Blogposts/Writeups
      • Injecting Flask - Ryan Reid
        • In this adventure we will discuss some of the security features available and potential issues within the Flask micro-framework with respect to Server-Side Template Injection, Cross-Site Scripting, and HTML attribute injection attacks, a subset of XSS. If you’ve never had the pleasure of working with Flask, you’re in for a treat. Flask is a lightweight python framework that provides a simple yet powerful and extensible structure (it is Python after all).

JSON

  • 101
    • json.org
      • "JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language."
    • JSON Schema
      • JSON Schema is a declarative language that allows you to annotate and validate JSON documents.
  • Articles/Blogposts/Writeups
  • Tools

JSON Web Tokens

MIME Sniffing

  • Tools

OAUTH

Parsers

Platform Agnostic Security Token (PASETO)

PHP

101

robots.txt

  • 101 * Protocol Buffers - Google * "Protocol buffers are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data – think XML, but smaller, faster, and simpler. You define how you want your data to be structured once, then you can use special generated source code to easily write and read your structured data to and from a variety of data streams and using a variety of languages."

robots.txt

RPC-related

Ruby/Ruby on Rails

Same-Origin Policy

Security Assertion Markup Language (SAML)

Service Workers

Site Isolation

Subresource Integrity

Secure Sockets Layer/Transport Layer Security(SSL/TLS)

Single Sign-On(SSO)

Streans

  • 101
    • Streams - Dec12 2019
      • This specification provides APIs for creating, composing, and consuming streams of data that map efficiently to low-level I/O primitives.

Unicode

Uniform Resource Identifier/Locator(URIs/URLs)

Web Application Firewalls(WAFs)

Web Assembly

Web Authentication

WebBluetooth

Web Hooks

WebNFC

Web Proxies

  • Talks/Presentations
    • Weird proxies/2 and a bit of magic - Aleksei Tiurin(ZeroNights2021)
      • Reverse proxies and their variations are used everywhere in modern web applications for routing, caching, and access differentiation. This talk is dedicated to new research results about different reverse proxies and new possibilities brought by HTTP/2. It is a collection of tricks for exploiting various misconfigurations.
  • Tools
    • Burpsuite
      • Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
    • ZAP - Zed Attack Proxy
    • Paros - Web Proxy
      • A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.
    • Mallory: Transparent TCP and UDP Proxy
      • Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications, or maybe just pull a prank on your friend.
    • TCP Catcher
      • TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.
    • wssip
      • Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
    • ratproxy
      • Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
    • proxify
      • Swiss Army Knife Proxy for rapid deployments. Supports multiple operations such as request/response dump, filtering and manipulation via DSL language, upstream HTTP/Socks5 proxy. Additionally, a replay utility allows to import the dumped traffic (request/responses with correct domain name) into BurpSuite or any other proxy by simply setting the upstream proxy to proxify.

WebRTC

Web Servers

WebSockets

  • Miscellaneous

Web Storage

WebUSB

  • 101
  • Articles/Blogposts/Presentations/Talks/Writeups
    • WebUSB - How a website could steal data off your phone
      • This blog post looks in to the capabilities of WebUSB to understand how it works, the new attack surface, and privacy issues. We will describe the processes necessary to get access to devices and how permissions are handled in the browser. Then we will discuss some security implications and shows, how a website can use WebUSB to establish an ADB connection and effectively compromise a connected Android phone.

End of Technologies Section

Attacks & Techniques

  • Tactics
  • General Reconnaissance Techniques
    • General Articles/Methodology Writeups
    • Tools that didn't fit elsewhere
      • webgrep
        • This self-contained tool relies on the well-known grep tool for grepping Web pages. It binds nearly every option of the original tool and also provides additional features like deobfuscating Javascript or appyling OCR on images before grepping downloaded resources.
    • (Almost)Fully Automating Recon
    • Attack Surface Reconaissance
      • Articles/Blogposts/Writeups
      • Tools
        • AttackSurfaceMapper
          • Attack Surface Mapper is a reconnaissance tool that uses a mixture of open source intellgence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets. It enumerates subdomains with bruteforcing and passive lookups, Other IPs of the same network block owner, IPs that have multiple domain names pointing to them and so on. Once the target list is fully expanded it performs passive reconnaissance on them, taking screenshots of websites, generating visual maps, looking up credentials in public breaches, passive port scanning with Shodan and scraping employees from LinkedIn.
        • intrigue-core
          • Intrigue-core is a framework for external attack surface discovery and automated OSINT.
        • Domain Analyzer
          • Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.
        • domain-profiler
          • domain-profiler is a tool that uses information from various sources (Whois, DNS, SSL, ASN) to determine what decisions have been made regarding a domain or list of domains.
        • The Hamburglar
          • Hamburglar -- collect useful information from urls, directories, and files
        • AutoRecon
        • Websy
          • Keep an eye on your targets with Websy to get quickly notified for any change they push on their Web Server
        • BlueEye
          • Blue Eye is a python Recon Toolkit script. It shows subdomain resolves to the IP addresses, company email addresses and much more ..!
        • FinalRecon
          • "FinalRecon is an automatic web reconnaissance tool written in python. Goal of FinalRecon is to provide an overview of the target in a short amount of time while maintaining the accuracy of results. Instead of executing several tools one after another it can provide similar results keeping dependencies small and simple."
        • changedetection.io
          • "The best and simplest self-hosted free open source website change detection, monitor and notification service."
        • KENZER - Automated web assets enumeration & scanning
        • webstor
          • "A script to quickly enumerate all websites across all of your organization's networks, store their responses, and query for known web technologies, such as those with zero-day vulnerabilities."
        • cariddi
          • Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more
        • Crossfeed
          • Crossfeed is a tool that continuously enumerates and monitors an organization's public-facing attack surface in order to discover assets and flag potential security flaws. By operating in either passive or active scanning modes, Crossfeed collects data from a variety of open source tools and data feeds to provide actionable information about organization assets. Crossfeed is offered as a self-service portal and allows customers to view reports and customize scans performed.
        • kunyu
          • Kunyu aims to make corporate asset collection more efficient and enable more security-related practitioners to understand and use cyberspace surveying and mapping technology.
      • Nuclei
    • Browser Automation
      • playwright
        • Node.js library to automate Chromium, Firefox and WebKit with a single API
    • Browser/Client Fingerprinting(see Also AnonOpSecPrivacy.md)
    • Browser-based Port Scan
    • DNS
      • See Network_Attacks.md -> DNS
    • Endpoint Discovery
      • Articles/Blogposts/Writeups
      • Tools
        • JSParser
          • A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests when performing security research or bug bounty hunting.
        • LinkFinder
          • LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Resulting in new testing ground, possibility containing new vulnerabilities. It does so by using jsbeautifier for python in combination with a fairly large regular expression.
        • relative-url-extractor
          • During reconnaissance (recon) it is often helpful to get a quick overview of all the relative endpoints in a file. These days web applications have frontend pipelines that make it harder for humans to understand minified code. This tool contains a nifty regular expression to find and extract the relative URLs in such files. This can help surface new targets for security researchers to look at. It can also be used to periodically compare the results of the same file, to see which new endpoints have been deployed. History has shown that this is a goldmine for bug bounty hunters.
        • hakrawler
        • endpointdiff
        • gau
          • Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
        • FFUF Me - Target Practice For FFUFhttps://github.com/adamtlangley/ffufme
          • This is a simple website to get you used to using ffuf against a live target
        • httpx
          • "httpx is a fast and multi-purpose HTTP toolkit that allows running multiple probes using the retryablehttp library. It is designed to maintain result reliability with an increased number of threads."
        • Kiterunner
          • Kiterunner is a tool that is capable of not only performing traditional content discovery at lightning fast speeds, but also bruteforcing routes/endpoints in modern applications.
        • httploot
          • Blogpost
          • An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and "loot" secrets out of the client-facing code of sites.
        • reconFTW
          • reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities
        • redscan
          • Redscan is built to discover exposed assets of a company, detect misconfigurations and compliance deviations. Redscan was conceived with the idea to automate the recon phase and the vulnerability assertion as referred to the Bug Bounty Methodology.
        • page-fetch
          • Fetch web pages using headless Chrome, storing all fetched resources including JavaScript files. Run arbitrary JavaScript on many web pages and see the returned values
    • Forced Browsing
      • Articles/Blogposts/Writeups
      • Tools
        • Dirbuster
          • DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
        • Go Buster
          • Directory/file busting tool written in Go; Recursive, CLI-based, no java runtime
        • WFuzz
          • Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
        • dirsearch
          • dirsearch is a simple command line tool designed to brute force directories and files in websites.
        • ffuf
        • Tachyon
          • Tachyon is a Fast Multi-Threaded Web Discovery Tool
        • Syntribos
          • Given a simple configuration file and an example HTTP request, syntribos can replace any API URL, URL parameter, HTTP header and request body field with a given set of strings. Syntribos iterates through each position in the request automatically. Syntribos aims to automatically detect common security defects such as SQL injection, LDAP injection, buffer overflow, etc. In addition, syntribos can be used to help identify new security defects by automated fuzzing.
        • OpenDoor
          • OpenDoor OWASP is console multifunctional web sites scanner. This application find all possible ways to login, index of/ directories, web shells, restricted access points, subdomains, hidden data and large backups. The scanning is performed by the built-in dictionary and external dictionaries as well. Anonymity and speed are provided by means of using proxy servers.
        • rustbuster
          • A Comprehensive Web Fuzzer and Content Discovery Tool
        • feroxbuster
          • A fast, simple, recursive content discovery tool written in Rust.
        • SharpBuster
          • SharpBuster is a C# implementation of a directory brute forcing tool. It's designed to be used via Cobalt Strike's execute-assembly and similar tools, when running a similar tool over a SOCKS proxy is not feasible.
        • FES - Fast Endpoint Scanner
          • A web application endpoint scanner written in Rust, designed to put less load on the domains it scans with parsing features to help grab the important stuff (inspired by tomnomnom's meg).
        • WAES
          • CPH:SEC WAES: Web Auto Enum & Scanner - Auto enums website(s) and dumps files as result
        • crithit
          • Website Directory and file brute forcing at extreme scale.
        • snallygaster
          • Finds file leaks and other security problems on HTTP servers.
    • HTTP Enumeration
      • Articles/Blogposts/Writeups
      • Tools
        • Arjun
          • HTTP parameter discovery suite.
        • Psi-Probe
          • Advanced manager and monitor for Apache Tomcat, forked from Lambda Probe
        • HTTPLeaks
          • HTTPLeaks - All possible ways, a website can leak HTTP requests
        • HTTPie - curl for humans
          • HTTPie (pronounced aych-tee-tee-pie) is a command line HTTP client. Its goal is to make CLI interaction with web services as human-friendly as possible. It provides a simple http command that allows for sending arbitrary HTTP requests using a simple and natural syntax, and displays colorized output. HTTPie can be used for testing, debugging, and generally interacting with HTTP servers.
        • gethead
          • HTTP Header Analysis Vulnerability Tool
    • HTTP Fingerprinting
    • JS-based scanning
    • (Sub)Domain Reconnaissance
    • Javascript
    • Technology Identification
      • Articles/Blogposts/Writeups
      • Tools
        • General
          • wappy
            • A tool to discover technologies in web applications from your terminal. It uses the wap library, that is a python implementation of the great Wappalyzer browser extension. In fact, it uses the rules defined in the file technologies.json of the Wappalyzer repository.
        • CMS
          • CMSExplorer
            • CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc.
          • BlindElephant Web Application Fingerprinter
            • The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.
          • Fingerprinter
            • CMS/LMS/Library etc Versions Fingerprinter. This script's goal is to try to find the version of the remote application/third party script etc by using a fingerprinting approach.
          • WPScan
            • WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their WordPress websites.
        • Proxies
        • Web Servers
          • httprecon - Advanced Web Server Fingerprinting
            • The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis. Besides the discussion of different approaches and the documentation of gathered results also an implementation for automated analysis is provided. This software shall improve the easyness and efficiency of this kind of enumeration. Traditional approaches as like banner-grabbing, status code enumeration and header ordering analysis are used. However, many other analysis techniques were introduced to increase the possibilities of accurate web server fingerprinting. Some of them were already discussed in the book Die Kunst des Penetration Testing (Chapter 9.3, HTTP-Fingerprinting, pp. 530-550).
          • WhatWeb
            • WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
    • Web Scraping
    • User Enumeration
      • Articles/Blogposts/Writeups
      • Tools
        • WhatsMyName
          • This repository has the unified data required to perform user enumeration on various websites. Content is in a JSON file and can easily be used in other projects.
        • hackability
          • Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports. To use it simply extract it to your web server and visit the url in the rendering engine you want to test. The more successful probes you get the more likely the target engine is vulnerable to attack.
    • Virtual Hosts
      • 101
      • Tools
        • virtual-host-discovery
          • This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. During recon, this might help expand the target by detecting old or deprecated code. It may also reveal hidden hosts that are statically mapped in the developer's /etc/hosts file.
        • blacksheepwall
          • blacksheepwall is a hostname reconnaissance tool
        • VHostScan
          • A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.
    • Visual Reconnaissance
      • Articles/Blogposts/Writeups
      • Tools
        • Snapback
          • Snapback is a HTTP(s) screenshot tool written to take advantage of asynchronous threading in Nodejs. It's like EyeWitness, gowitness, and rawr, etc. but generally faster, and compatible with MacOS, Windows, and Linux.
        • PowerWebShot
          • A PowerShell tool for taking screenshots of multiple web servers quickly.
        • HTTrack - Website Copier
          • It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.
        • Kraken
          • Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.
        • Eyeballer
          • Eyeballer is meant for large-scope network penetration tests where you need to find "interesting" targets from a huge set of web-based hosts. Go ahead and use your favorite screenshotting tool like normal (EyeWitness or GoWitness) and then run them through Eyeballer to tell you what's likely to contain vulnerabilities, and what isn't.
        • gowitness
          • gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line. Both Linux and macOS is supported, with Windows support 'partially working'.
        • webscreenshot
          • A simple script to screenshot a list of websites, based on the url-to-image PhantomJS script.
        • LazyShot
          • The simplest way to take an automated screenshot of given URLs. Easy installation!
        • RAWR - Rapid Assessment of Web Resources
        • EyeWitness
          • EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
        • SharpWitness
          • C# implementation of EyeWitness
        • webDisco
          • Web discovery tool to capture screenshots from a list of hosts & vhosts. Requests are made via IP address and vhosts to determine differences. Additionallty checks for common administrative interfaces and web server misconfigurations.
        • PowerWebShot
          • A PowerShell tool for taking screenshots of multiple web servers quickly.
        • Kraken
          • Kraken is a tool to help make your web interface testing workflow more efficient. This is done by using Django, Apache, and a MySql database to store and organize web interface screenshots and data. This allows you and your team to take notes and track which hosts have been tested simultaniously. Once you are finished, you can view these notes you took and generate reports in the Reports section.
        • electric-scan
          • Electron based screenshot scanner
        • EyeWitnessTheFitness
          • Generate one FireProx API to be used for all your EyeWitness targets, making your enumeration both opsec-friendly and convenient.
      • 3rd Party Hosted Tools
        • VisualSiteMapper
          • Visual Site Mapper is a free service that can quickly show a map of your site.
      • Web Page
        • HTCAP
          • htcap is a web application scanner able to crawl single page application (SPA) recursively by intercepting ajax calls and DOM changes.
  • Vulnerability Scanner
    • Nikto
    • Spaghetti - Web Application Security Scanner
      • Spaghetti is an Open Source web application scanner, it is designed to find various default and insecure files, configurations, and misconfigurations. Spaghetti is built on python2.7 and can run on any platform which has a Python environment.
    • skipfish
      • Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
    • wikto
      • Wikto is Nikto for Windows - but with a couple of fancy extra features including Fuzzy logic error code checking, a back-end miner, Google assisted directory mining and real time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.
    • WATOBO
      • WATABO is a security tool for testing web applications. It is intended to enable security professionals to perform efficient (semi-automated) web application security audits.
    • YASUO
      • Yasuo is a ruby script that scans for vulnerable 3rd-party web applications.
    • ParrotNG
      • ParrotNG is a tool capable of identifying Adobe Flex applications (SWF) vulnerable to CVE-2011-2461
    • Arachni Web Scanner
      • Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
    • Pyfiscan
      • Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.
    • jaeles
      • "powerful, flexible and easily extensible framework written in Go for building your own Web Application Scanner."
      • Showcase examples of usage
    • 0d1n
      • 0d1n is a tool for automating customized attacks against web applications.
    • reNgine
      • reNgine is an automated reconnaissance framework meant for gathering information during penetration testing of web applications. reNgine has customizable scan engines, which can be used to scan the websites, endpoints, and gather information.
    • Osmodeus
      • Fully automated offensive security framework for reconnaissance and vulnerability scanning

Abuse of Functionality

  • jsgifkeylogger
    • a javascript keylogger included in a gif file This is a PoC

Backend File Parsing/Processing Exploitation

Brute Force/Fuzzing

  • See 'Forced-Browsing'

Cache-based Attacks

Attacking Continous Integration Systems

  • See section of same name under the 'Privesc/PostEx - General' page.

CSV Injection

Clickjacking

Cross Protocol Scripting/Request Attack

  • 101
  • Articles/Blogposts/Writeups
  • Papers
    • HTML Form Protocol Attack - Jochen Topf(2001)
      • This paper describes how some HTML browsers can be tricked through the use of HTML forms into sending more or less arbitrary data to any TCP port. This can be used to send commands to servers using ASCII based protocols like SMTP, NNTP, POP3, IMAP, IRC, and others. By sending HTML email to unsuspecting users or using a trojan HTML page, an attacker might be able to send mail or post Usenet News through servers normally not accessible to him. In special cases an attacker might be able to do other harm, e.g. deleting mail from a POP3 mailbox.
    • Cross-Protocol Request Forgery - Tanner Prynn(2018)
      • Server-Side Request Forgery (SSRF) and Cross-Site Request Forgery (CSRF) are two attackmethods that enable attackers to cross network boundaries in order to attack applications,but can only target applications that speak HTTP. Custom TCP protocols are everywhere:IoT devices, smartphones, databases, development software, internal web applications, andmore. Often, these applications assume that no security is necessary because they are onlyaccessible over the local network. This paper aims to be a definitive overview of attacksthat allow cross-protocol exploitation of non-HTTP listeners using CSRF and SSRF, and alsoexpands on the state of the art in these types of attacks to target length-specified protocolsthat were not previously thought to be exploitable.
  • Presentations/Talks/Videos
  • Tools
    • Extract data
      • Extract data is a demo combining a cross-protocol request attack with DNS rebinding

Cross Site Content Hijacking

Cross Site History Manipulation

Cross Site Request Forgery (CSRF)

Cascading-StyleSheets-related Attacks

Cross Site WebSocket Hijacking

Data Structure Attacks

Edge Side Include Injection

Embedded Malicious Code

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Presentations/Talks/Videos
  • Tools

Exploitation of Authentication

  • 101
  • Articles/Blogposts/Writeups
  • Papers
  • Presentations/Talks/Videos
  • Tools

Fuzzing

IDN Homograph & Homograph Attacks

Insecure Direct Object Reference

Execution After(/Open) Redirect (EAR)

File Upload Testing

HTML Smuggling

HTTP Request Smuggling

Image-based Exploitation AKA Exploiting Polyglot features of File standards

Injection Based Attacks

  • See also: JNDI, JSON, SQLi, XSS

OS Command Injection

JNDI Attack Class

Password Brute Forcing/Spraying

  • 101
  • Articles/Papers/Writeups
  • Tools
    • BruteLoops
      • A dead simple library providing the foundational logic for efficient password brute force attacks against authentication interfaces.
    • Big Friggin Gun (BFG)
      • BFG is a simple modular framework to perform brute-force attacks. It uses the BruteLoops library for the brute force and database management logic.

Path Confusion Attacks

  • 101
  • Articles/Papers/Writeups

LFI & RFI

Log4j

Log4j

(No)SQL Injection

  • Out-of-Band
    • Out-of-Band (OOB) SQL Injection - Lee Chun How(2019)
    • A Study of Out-of-Band Structured Query Language Injection - Lee Chun How(2019)
      • "Out-of-Band (OOB) Structured Query Language (SQL) Injection is an exploitation to exfiltrate data from database through different outbound channel. Common channel use by OOB SQL Injection for data exfiltration are through Domain Name Server (DNS) and HyperText Transfer Protocol (HTTP) channels. This type of SQL injection should address properly due to the impact is on the par with traditional methods. OOB SQL Injection impacts on database systems with insufficient of input validation control in place and allowed access to public, either DNS or HTTP protocol. Test cases and recommendation for remediation have been discussed in this paper in order to raise awareness of the exploitation."

Path Traversal Attacks

Prototype Pollution Attack

Reflected File Download

Relative Path Overwrite

  • 101
    • Relative Path Overwrite Explanation/Writeup
      • RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
  • Articles/Blogposts/Writeups
  • Talks/Presentations/Videos
  • Papers
    • Understanding and Mitigating theSecurity Risks of ContentInclusion in Web Browsers - Sajjad Arshad(2020)
      • In this thesis, I propose novel research into understanding and mitigatingthe security risks of content inclusion in web browsers to protect website pub-lishers as well as their users. First, I introduce an in-browser approach calledExcisionto automatically detect and block malicious third-party content in-clusions as web pages are loaded into the user’s browser or during the execu-tion of browser extensions. Then, I proposeOriginTracer, an in-browserapproach to highlight extension-based content modification of web pages. Fi-1 nally, I present the first in-depth study of style injection vulnerability usingRPO and discuss potential countermeasures
  • General
  • Tools
  • Miscellaneous

(De-)Serialization Attacks

Server Side Request Forgery (SSRF)

  • Tools
    • SSRFmap
      • Automatic SSRF fuzzer and exploitation tool
    • See-SURF
      • A Python based scanner to find potential SSRF parameters in a web application. See-SURF helps you detect potential SSRF parameters and validates the finding it by making a DNS/HTTP request back to your server.
    • oidc-ssrf
      • Evil OIDC server: the OpenID Configuration URL returns a 307 to cause SSRF.
    • LORSRF
      • Fast CLI tool to find the parameters that can be used to find SSRF or Out-of-band resource load
    • TLS Poison
      • A tool that allows for generic SSRF via TLS, as well as CSRF via image tags in most browsers. The goals are similar to SNI injection, but this new method uses inherent behaviors of TLS, instead of depending upon bugs in a particular implementation.
    • SSRFIRE
      • An automated SSRF finder. Just give the domain name and your server and chill! ;) Also has options to find XSS and open redirects

Server Side Include

Client/Server Side Template Injection

Subdomain Hijack/Takeover

Tabnabbing Attacks

Timing-based Attacks/Data race Attacks

  • 101
  • Articles/Blogposts/Writeups
  • Papers
    • Race Detection for Web Applications - Boris Petrov, Martin Vechev, Manu Sridharan, Julian Dolby
      • We present the first formulation of a happens-before relation for common web platform features. Developing this relation was a non-trivial task, due to complex feature interactions and browser differences. We also present a logical memory access model for web applications that abstracts away browser implementation details. Based on the above, we implemented WEBRACER, the first dynamic race detector for web applications. WEBRACER is implemented atop the production-quality WebKit engine, enabling testing of full-featured web sites. WEBRACER can also simulate certain user actions, exposing more races. We evaluated WEBRACER by testing a large set of Fortune 100 company web sites. We discovered many harmful races, and also gained insights into how developers handle asynchrony in practice.
    • Exposing Private Information by Timing Web Applications - Andrew Bortz, Dan Boneh, Palash Nandy(2007)
      • "We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as validity of an username at a secured site or the number of private photos in a publicly viewable gallery. The second, cross-site timing, enables a malicious web site to obtain information from the user’s perspective at another site. For example, a malicious site can learn if the user is currently logged in at a victim site and, in some cases, the number of objects in the user’s shopping cart. Our experiments sug- gest that these timing vulnerabilities are wide-spread. We explain in detail how and why these attacks work, and dis- cuss methods for writing web application code that resists these attacks."
    • Opportunities and Limits of Remote Timing Attacks - Scott A. Crosby, Dan S. Wallach, Rudolf H. Riedi(2009)
      • "Our work analyzes the limits of attacks based on accurately measuring network response times and jitter over a local network and across the Internet. We present the design of filters to significantly reduce the effects of jitter, allowing an attacker to measure events with 15-100μs accuracy across the Internet, and as good as 100ns over a local network. Notably, security-related algorithms on Web servers and other network servers need to be carefully engi- neered to avoid timing channel leaks at the accuracy demonstrated in this article."
    • Cross-origin pixel stealing: Timing attacks using CSS filters - Robert Kotcher, Yutong Pei, Pranjal Jumde, Collin Jackson(2013)
    • The Clock is Still Ticking: Timing Attacks in the Modern Web - Tom Van Goethem, Wouter Joosen, Nick Nikiforakis(2015)
      • "In this paper, we show that modern browsers expose new side-channels that can be used to acquire accurate timing measurements, regardless of network conditions. Using several real-world examples, we introduce four novel web-based timing attacks against modern browsers and describe how an attacker can use them to obtain personal information based on a user’s state on a cross-origin website. We evaluate our proposed attacks and demonstrate that they significantly outperform current attacks in terms of speed, reliability, and accuracy. Furthermore, we show that the nature of our attacks renders traditional defenses, i.e., those based on randomly delaying responses, moot and discuss possible server-side defense mechanisms."
    • Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections - Tom Van Goethem, Christina Pöpper, Wouter Joosen, Mathy Vanhoef(2020)
      • "In this paper, we introduce a conceptually novel type of timing attack that leverages the coalescing of packets by network protocols and concurrent handling of requests by applications. These concurrency-based timing attacks infer a relative timing difference by analyzing the order in which responses are returned, and thus do not rely on any absolute timing information. We show how these attacks result in a 100-fold improvement over typical timing attacks performed over the Internet, and can accurately detect timing differences as small as 100ns, similar to attacks launched on a local system. We describe how these timing attacks can be successfully deployed against HTTP/2 webservers, Tor onion services, and EAP-pwd, a popular Wi-Fi authentication method."
  • Tools
    • Requests-Racer
      • Requests-Racer is a small Python library that lets you use the Requests library to submit multiple requests that will be processed by their destination servers at approximately the same time, even if the requests have different destinations or have payloads of different sizes. This can be helpful for detecting and exploiting race condition vulnerabilities in web applications. (For more information, see motivation.md.)
    • Race the Web
      • Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) simultaneously, and then compares the responses from the server for uniqueness. Includes a number of configuration options.
    • timing_attack
      • Perform timing attacks against web applications
    • Race condition exploit
      • Tool to help with the exploitation of web application race conditions
    • OWASP TimeGap Theory
      • Repo
      • Handbook
      • OWASP TimeGap Theory is an auto-scoring capture-the-flag game that focuses entirely on TOCTOU vulnerabilities. There are seven unique challenges to be solved in TimeGap Theory. All of them can be solved just by using browser dev tools.
  • Miscellaneous

TLS Redirection (and Virtual Host Confusion)

TypoSquatting

  • 101

(Bit)/Typo-squatting

  • 101
  • Articles/Blogposts/Writeups
  • Talks/Presentations/Videos
    • Examining the Bitsquatting Attack Surface - Jaeson Schultz(Defcon21)
      • Paper
      • Bit errors in computer memory, when they occur in a stored domain name, can cause Internet traffic to be directed to the wrong Internet location potentially compromising security. When a domain name one bit different from a target domain is registered, this is called "bitsquatting". This presentation builds on previous work in this area presented by Artem Dinaburg at Blackhat 2011. Cisco's research into bitsquatting has revealed several previously unknown vectors for bitsquatting. Cisco has also discovered several new mitigations which do not involve installation of error correcting memory, nor the mass registration of bitsquat domains. In fact some of the new mitigations have the potential to render the problem of bitsquatting to the dustbin of history.

Web Shells

  • Articles
  • Detection
    • Case Study: How Backdoors Bypass Security Solutions with Advanced Camouflage Techniques
      • Look at PHP obfuscation methods for webshells
    • NeoPI
      • What is NeoPI? NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.
    • Shell Detector
      • Shell Detector – is a application that helps you find and identify php/cgi(perl)/asp/aspx shells. Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%.
    • Loki - Simple IOC Scanner
      • Scanner for Simple Indicators of Compromise
  • Tools
    • Weevely
      • Weevely is a command line web shell dinamically extended over the network at runtime used for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments. The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.
      • Getting Started
    • b374k shell 3.2
      • This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser
    • Simple websockets based webshell
    • JSShell
      • An interactive multi-user web based JS shell written in Python with Flask (for server side) and of course Javascript and HTML (client side). It was initially created to debug remote esoteric browsers during tests and research. I'm aware of other purposes this tool might serve, use it at your own responsibility and risk.
    • htshells
      • Self contained web shells and other attacks via .htaccess files.
    • Encoding Web Shells in PNG IDAT chunks - idontplaydarts.com
    • novahot
      • novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python. Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements "virtual commands" that make it possible to upload, download, edit, and view remote files locallly using your preferred applications.

XSS

XML

End of Attacks section

Miscellaneous

Burpsuite Stuff/Plugins

  • Plugins
    • Creating
    • API
      • burp-rest-api
        • A REST/JSON API to the Burp Suite security tool. Upon successfully building the project, an executable JAR file is created with the Burp Suite Professional JAR bundled in it. When the JAR is launched, it provides a REST/JSON endpoint to access the Scanner, Spider, Proxy and other features of the Burp Suite Professional security tool.
    • AuthN/AuthZ-related
      • AuthMatrix
        • AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services.
      • Autorize
        • Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert, and Federico Dotta, a security expert at Mediaservice.net. Autorize was designed to help security testers by performing automatic authorization tests. With the last release now Autorize also perform automatic authentication tests.
      • Escalating Privileges like a Pro - Gaurav Narwani
      • AutoRepeater
        • Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. While Burp Suite is a very useful tool, using it to perform authorization testing is often a tedious effort involving a "change request and resend" loop, which can miss vulnerabilities and slow down testing. AutoRepeater, an open source Burp Suite extension, was developed to alleviate this effort. AutoRepeater automates and streamlines web application authorization testing, and provides security researchers with an easy-to-use tool for automatically duplicating, modifying, and resending requests within Burp Suite while quickly evaluating the differences in responses.
      • Uniqueness plugin for Burp Suite
        • Makes requests unique based on regular expressions. Handy for registration forms and any other endpoint that requires unique values upon every request.
    • Code Scanning
    • Collaborator-related
    • Diagramming
      • PESD Exporter
        • Generate security-oriented sequence diagrams and fine-grained parsed traffic from Burp Suite Proxy history.
    • Extra-Checks/Scanners
      • backslash-powered-scanner
        • This extension complements Burp's active scanner by using a novel approach capable of finding and confirming both known and unknown classes of server-side injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.
      • HUNT
        • HUNT is a Burp Suite extension to: 1. Identify common parameters vulnerable to certain vulnerability classes; 2. Organize testing methodologies inside of Burp Suite;
      • Burp-molly-pack
        • Burp-molly-pack is Yandex security checks pack for Burp. The main goal of Burp-molly-pack is to extend Burp checks. Plugins contains Active and Passive security checks.
      • burp-suite-error-message-checks
        • Burp Suite extension to passively scan for applications revealing server error messages
      • Asset Discover
        • Burp Suite extension to discover assets from HTTP response using passive scanning.
        • Blogpost
      • Dr. Watson
        • Dr. Watson is a simple Burp Suite extension that helps find assets, keys, subdomains, IP addresses, and other useful information! It's your very own discovery side kick, the Dr. Watson to your Sherlock!
      • LinkDumper Burp Plugin
        • Extract (links/possible endpoints) from responses & filter them via decoding/sorting
      • BurpExtenderHeaderChecks
      • SQLTruncScanner
        • Messy BurpSuite plugin for SQL Truncation vulnerabilities.
      • Asset_Discover
        • Burp Suite extension to discover assets from HTTP response using passive scanning.
    • Extended-Functionality
      • burp-highlighter
      • Exporter Extension for Burp Suite
        • Exporter is a Burp Suite extension to copy a request to the clipboard as multiple programming languages functions.
      • Stepper
        • Stepper is designed to be a natural evolution of Burp Suite's Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps.
      • BurpSuiteSharpener
        • "This extension should add a number of UI and functional features to Burp Suite to make working with it easier."
      • Piper
        • Unix-style approach to web application testing - Andras Veres-Szentkiralyi(2020)
          • Web application testers of our time have lots of tools at their disposal. Some of these offer the option to be extended in ways the original developers did not think of, thus making their tool more useful. However, developing extensions or plugins have entry barriers in the form of fixed costs, boilerplate, et cetera. At the same time, many problems already have a solution designed as a smaller standalone program, which could be combined in the Unix fashion to produce a useful complex tool quickly and easily. In this paper, a (meta)solution is introduced for this integration problem by lowering the entry barriers and offer several examples that demonstrate how it saved time in web application assessments.
      • burp-copy-as-ffuf
        • Burp Extension that copies a request and builds a FFUF skeleton
      • Burp Bounty
        • "Burp Bounty (Scan Check Builder in BApp Store) is a extension of Burp Suite that allows you, in a quick and simple way, to improve the active and passive scanner by means of personalized rules through a very intuitive graphical interface."
      • Autowasp
        • a Burp Suite extension that integrates Burp issues logging, with OWASP Web Security Testing Guide (WSTG), to provide a streamlined web security testing flow
      • burpa
        • Burp Automator - A Burp Suite Automation Tool. It provides a high level CLI and Python interfaces to Burp Suite scanner and can be used to setup Dynamic Application Security Testing (DAST).
    • Forced-Browsing/File Discovery
      • BurpSmartBuster
        • Looks for files, directories and file extensions based on current requests received by Burp Suite
    • J2EE
      • J2EEScan
        • J2EEScan is a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
    • JavaScript
      • BitMapper
        • Burp-suite Extension For finding .map files
    • JSONP
      • jsonp
        • jsonp is a Burp Extension which attempts to reveal JSONP functionality behind JSON endpoints. This could help reveal cross-site script inclusion vulnerabilities or aid in bypassing content security policies.
    • JWTs
      • JWT4B
        • JSON Web Tokens (JWT) support for the Burp Interception Proxy. JWT4B will let you manipulate a JWT on the fly, automate common attacks against JWT and decode it for you in the proxy history. JWT4B automagically detects JWTs in the form of 'Authorization Bearer' headers as well as customizable post body parameters.
      • jwt-heartbreaker
        • The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources
        • Blogpost
    • Protobufs
      • burp-protobuf-decoder
        • A simple Google Protobuf Decoder for Burp
      • Blackbox Protobuf
        • Blackbox protobuf is a Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.
    • Proxy
      • NoPE Proxy
        • Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
    • Postman
      • Postman-Integration
        • Postman Integration is an extension for burp to generate Postman collection fomat json file.
    • Repeater
      • RepeaterSearch
        • "This extension adds a search bar to the Repeater tab that can be used to highlight all repeater tabs where the request and/or response matches a query via simple text matching or Regex."
      • Bookmarks
        • "A Burp Suite extension to bookmark requests for later, instead of those 100 unnamed repeater tabs you've got open."
    • SAML
      • SAML Raider
        • SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates.
    • Serialization
    • Single-Page-Apps
      • BurpKit
        • BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically. It also provides a bi-directional Script bridge API which allows users to create quick one-off BurpSuite plugin prototypes which can interact directly with the DOM and Burp's extender API.
    • Sitemap
      • PwnBack
        • Burp Extender plugin that generates a sitemap of a website using Wayback Machine
    • SQL Injection
      • sqlipy
        • SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.
      • SQLi Query Tampering
        • SQLi Query Tampering extends and adds custom Payload Generator/Processor in Burp Suite's Intruder. This extension gives you the flexibility of manual testing with many powerful evasion techniques.
    • Swagger
      • swurg
        • Parses Swagger files into the BurpSuite for automating RESTful API testing – approved by Burp for inclusion in their official BApp Store.
    • TLS
      • Awesome TLS
        • Fix Burp Suite's horrible TLS stack & spoof any browser fingerprint
    • Turbo Intruder
      • Haptyc
        • "Haptyc is a python library which was built to add payload position support and Sniper/Clusterbomb/Batteringram/Pitchfork attack types into Turbo Intruder. While Haptyc accomplishes these goals fairly well it also introduces a simpler way to express test sequences in general. While this library was meant to target Turbo Intruder it has no hard dependencies on Turbo Intruder and can be used anywhere one requires test generation in a Python context. Unfortunately at this time since Haptyc was built for a jython interpreter it only supports Python 2.7 (however future changes will fix this)."
    • WAFs
      • HTTPSmuggler
        • A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques. This extension has been developed by Soroush Dalili (@irsdl) from NCC Group.
    • Wordlists
      • Golden Nuggets
        • Burp Suite Extension to easily create Wordlists based off URI, URI Parameters and Single Words (Minus the Domain)
      • whey-cewler.py
        • "Whey CeWLer runs within Portswigger's Burp Suite and parses an already crawled sitemap to build a custom wordlist."
    • XSS
      • reflector
        • Burp Suite extension is able to find reflected XSS on page in real-time while browsing on web-site
    • Other
      • C02
        • Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
      • distribute-damage
        • Designed to make Burp evenly distribute load across multiple scanner targets, this extension introduces a per-host throttle, and a context menu to trigger scans from. It may also come in useful for avoiding detection.
      • Office Open XML Editor - burp extension
      • Bumpster
        • The Unofficial Burp Extension for DNSDumpster.com. You simply supply a domain name and it returns a ton of DNS information and basically lays out the external network topology.
      • ParrotNG - burp plugin
      • Brida
        • Brida is a Burp Suite Extension that, working as a bridge between Burp Suite and Frida, lets you use and manipulate applications’ own methods while tampering the traffic exchanged between the applications and their back-end services/servers. It supports all platforms supported by Frida (Windows, macOS, Linux, iOS, Android, and QNX)
      • Cyber Security Transformation Chef
        • The Cyber Security Transformation Chef (CSTC) is a Burp Suite extension. It is build for security experts to extend Burp Suite for chaining simple operations for each incomming or outgoing message. It can also be used to quickly make a special custom formatting for the message.
      • Hackbar
        • Hackbar plugin for Burp
      • progress-burp
        • Burp Suite extension to track vulnerability assessment progress
  • Burp Macros

Cloudflare

Bug Bounty Writeups

ToDo links

XSS
	https://github.com/EgeBalci/xss-flare
	https://medium.com/@spade.com/a-guide-to-make-your-own-serverless-blind-xss-and-blind-oob-payload-18f8f2b9c507
	https://ysamm.com/?p=493
	https://netsec.expert/posts/xss-in-2021/
	https://0xmkr24.medium.com/cross-site-scripting-contexts-walkthrough-portswigger-labs-part-1-aad6cf65e49b
	https://securitygoat.medium.com/data-exfiltration-with-some-fun-xss-tricks-49e9251f05fd
	https://portswigger.net/research/portable-data-exfiltration
	https://swarm.ptsecurity.com/fuzzing-for-xss-via-nested-parsers-condition/
	https://www.rcesecurity.com/2020/11/Smuggling-an-un-exploitable-xss/
	https://github.com/heroanswer/XSS_Cheat_Sheet_2020_Edition
	https://liveoverflow.com/do-not-use-alert-1-in-xss/
	https://blog.mozilla.org/attack-and-defense/2021/11/03/finding-and-fixing-dom-based-xss-with-static-analysis/
	https://hacklido.com/blog/252-xss-filter-evasion-and-waf-bypassing
	https://whynotsecurity.com/blog/xss-to-rce/
	https://www.youtube.com/embed/xxKAvx4UeUg
	https://www.volkis.com.au/blog/bypass-xss-in-wafs/
	https://www.youtube.com/watch?v=mKAWpFdVcPY
	https://docs.google.com/presentation/d/130n98LMDyD1xyZp5wzgmjmrZPP-nBcU9tI3NaOVfBs0/preview#slide=id.p
	https://github.com/redcode-labs/poXSSon
	https://www.youtube.com/watch?v=HU3np5xvioA
	https://github.com/kleiton0x00/ppmap
	https://www.blackhat.com/presentations/bh-europe-07/Dube-Rios/Whitepaper/bh-eu-07-rios-WP.pdf
	https://pentestit.medium.com/hey-dude-do-you-need-script-on-your-page-d9192df990f4
	https://twitter.com/orange_8361/status/1333458585980813333
	https://www.trustedsec.com/events/webinar-popping-shells-instead-of-alert-boxes-weaponizing-xss-for-fun-and-profit/
	https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
	https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/
	https://dev.to/caffiendkitten/xss-javascript-polyglots-4i64
	https://bishopfox.com/blog/lexss-bypassing-lexical-parsing-security-controls
	https://lutfumertceylan.com.tr/posts/acc-takeover-web-cache-xss/
	https://medium.com/bugbountywriteup/content-security-policy-bypass-to-perform-xss-3c8dd0d40c2e
	https://knoxss.me/?page_id=766
	https://www.youtube.com/watch?v=TgilzlNHFz8
	https://github.com/hakluke/weaponised-XSS-payloads
	https://twitter.com/intigriti/status/1356245100414840833
	https://github.com/yavolo/eventlistener-xss-recon
	https://medium.com/@know.0nix/hunting-good-bugs-with-only-html-d8fd40d17b38	
	https://leucosite.com/Edge-Chromium-EoP-RCE/
	https://github.com/hahwul/dalfox
	https://www.immersivelabs.com/resources/blog/wagtail-xss-localstorage-account-hijack/
	https://portswigger.net/research/redefining-impossible-xss-without-arbitrary-javascript
	https://r2c.dev/blog/2021/xss-cheat-sheets/
	https://thehackerblog.com/video-download-uxss-exploit-detailed/
	https://medium.com/realmodelabs/kindledrip-from-your-kindles-email-address-to-using-your-credit-card-bb93dbfb2a08
	https://blog.s1r1us.ninja/bug-bounty/cookie-tossing-to-rce-on-google-cloud-jupyter-notebooks
	https://medium.com/bugbountywriteup/intigritis-december-xss-challenge-2020-unintended-solution-8205b4a4b95b
	https://chefsecure.com/courses/xss/recipes/polyglots-the-ultimate-xss-payloads
	https://medium.com/cyberverse/obfuscated-polyglot-xss-payloads-simplified-with-references-157e95b1d601
	https://security.szurek.pl/en/xss-polyglot.html
	https://easterxss.terjanq.me/writeup.html
	https://www.youtube.com/watch?utm_campaign=bug_bytes_99_bypassing_bots_and_wafs_jq_in_burp_smarter_json_fuzzing_and_subdomain_takeovers
		* [AwesomeXSS - Somdev Sangwan](https://github.com/s0md3v/AwesomeXSS)
			* Awesome XSS stuff
	Cookies
		https://medium.com/@agrawalsmart7/cookie-based-injection-xss-making-exploitable-with-out-exploiting-other-vulns-81132ca01d67
		https://security.stackexchange.com/questions/36172/is-cookie-based-xss-exploitable
		https://wesecureapp.com/2017/07/10/xss-by-tossing-cookies/
		http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/
		https://appsecnotes.blogspot.com/2009/11/xss-via-cookie-how-severe.html
		http://blog.k3170makan.com/2013/10/aboutme-cookie-based-xss.html
		https://blog.jeremiahgrossman.com/2010/02/converting-unimplementable-cookie-based.html
	DOM
		https://enfinlay.github.io//xss/dom/burp/2021/02/23/dom-xss-is-dead.html
		https://vovohelo.medium.com/from-svg-and-back-yet-another-mutation-xss-via-namespace-confusion-for-dompurify-2-2-2-bypass-5d9ae8b1878f
		https://github.com/nccgroup/tracy
		https://static.sched.com/hosted_files/njsi2019/31/Securing%20the%20DOM%20from%20the%20bottom%20up%20-%20Node%2BJS%20Interactive.pdf
		https://www.youtube.com/watch?v=QBkLI35sxVsutm_campaign=bug_bytes_103_cookie_tossing_recon_tools_benchmarks_stealing_google_docs_with_screenshots&utm_term=2020-12-30
		https://research.securitum.com/helping-secure-dompurify-part-1/
		https://github.com/filedescriptor/untrusted-types
		https://thexssrat.medium.com/digging-deep-into-dom-xss-9ed172876477
		* [Restricted-character XSS for fun - physuru.dev(2021)](https://web.archive.org/web/20210414031135/https://physuru.dev/blog/restricted_character_xss/)
		https://blog.mozilla.org/attack-and-defense/2021/11/03/finding-and-fixing-dom-based-xss-with-static-analysis/
		https://portswigger.net/web-security/dom-based/cookie-manipulation
		https://owasp.org/www-community/attacks/DOM_Based_XSS
		https://portswigger.net/blog/introducing-dom-invader
		https://medium.com/@shilpybanerjee/dom-based-cookie-manipulation-portswigger-lab-16ae86de26fc
		https://medium.com/bugbountywriteup/reflected-xss-on-microsoft-com-via-angular-template-injection-2e26d80a7fd8
		https://medium.com/@lucideus/a-definitive-guide-to-session-hijacking-lucideus-research-71165a672973
		https://security.stackexchange.com/questions/176897/how-to-exploit-dom-xss-in-cookies-without-having-xss-on-the-page/176938
		https://github.com/wisec/domxsswiki
		https://hackerone.com/reports/57356
		https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/dom-xss
		https://github.com/wisec/domxsswiki
	Talks
		* [Tracing User Input Through JavaScript is for Tools - Jake Heath, Michael Roberts(2018)](https://www.youtube.com/watch?v=3zowuWLEGsA&list=PL7D3STHEa66TbZwq9w3S2qWzoJeNo3YYN&index=21)
			* Being able to comprehend causal relationships between sources of user input and their corresponding output is a distinguishing characteristic that separates the master web hacker from the novice script kiddy. The better a tester can grasp these relationships, the faster they can abuse lapses in input sanitization, identify dangerous programming patterns, and understand the overall attack surface of the application. However, enumerating these relationships is difficult and time intensive to do by hand, especially with JavaScript-heavy apps. Security scanning tools have tried to automate this procedure, but they face several problems in modern web applications: To solve these problems, we need a tool that augments, not automates, a manual penetration tester by helping them understand all of the inputs and outputs of a web application. To this end, we present Tracy, a tool for assisting penetration testers with enumerating every sink of output for all user input sources.
XSSI
	https://blog.cm2.pw/exploiting-post-based-xssi/
	https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lekies.pdf
	* [XSSI and JSONP leaks](https://github.com/EdOverflow/bugbountywiki/wiki/XSSI-and-JSONP-leaks)
	* [The Tale of a Fameless but Widespread Web Vulnerability Class - Veit Hailperin](https://www.youtube.com/watch?v=5qA0CtS6cZ4)
		* [Blogpost](https://www.scip.ch/en/?labs.20160414)
		* Two keys components account for finding vulnerabilities of a certain class: awareness of the vulnerability and ease of finding the vulnerability. Cross-Site Script Inclusion (XSSI) vulnerabilities are not mentioned in the de facto standard for public attention - the OWASP Top 10. Additionally there is no public tool available to facilitate finding XSSI. The impact reaches from leaking personal information stored, circumvention of token-based protection to complete compromise of accounts. XSSI vulnerabilities are fairly wide spread and the lack of detection increases the risk of each XSSI. In this talk we are going to demonstrate how to find XSSI, exploit XSSI and also how to protect against XSSI.
XS-Leaks
	https://arturjanc.com/visited-delenda-est.pdf
XS-Search
	https://www.youtube.com/watch?v=HcrQy0C-hEA
	https://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html
	https://www.abortz.net/papers/timingweb.pdf
	https://www.owasp.org/images/a/a7/AppSecIL2015_Cross-Site-Search-Attacks_HemiLeibowitz.pdf
	https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549
	https://www.blackhat.com/docs/us-16/materials/us-16-Gelernter-Timing-Attacks-Have-Never-Been-So-Practical-Advanced-Cross-Site-Search-Attacks.pdf
	https://sites.google.com/site/bughunteruniversity/nonvuln/xsleaks
	https://terjanq.github.io/Bug-Bounty/Google/cache-attack-06jd2d2mz2r0/index.html
	https://github.com/xsleaks/xsleaks/wiki/Links
	http://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html
XXE
	https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/
	https://gosecure.github.io/xxe-workshop/#0
	https://cinzinga.com/XXE-Case-Studies/
	https://read.martiandefense.llc/hacking-xml-xml-injection-51bea2edd3a2?gi=5fb445391ec6
	https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/HIP2019-Advanced_XXE_Exploitation.pdf
		https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/Exercise_1_simple.pdf
		https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/Exercise_2_external_dtd.pdf
		https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/Exercise_3_php_encoding.pdf
		https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/Exercise_4_jar_proto.pdf
		https://gosecure.github.io/presentations/2019-06-19-hack_in_paris/Exercise_5_local_dtd.pdf
	https://speakerdeck.com/0ang3el/a-hackers-perspective-on-aem-applications-security