SUMMARY.md

Table of contents

• 🧑 Whoami
• 🕸️ Web-AppSec
  • Features Abuse
    • 2FA
    • Ban Feature
    • CAPTCHA
    • Commenting
    • Contact us
    • File-Upload
    • Inviting Feature
    • Messaging Features
    • Money-Related Features
    • Newsletter
    • Profile - Settings
    • Registration
    • Reset Password
    • Review
    • Rich Editor/Text
    • Social Sharing
  • Reconnaissance
    • Attacking Organizations with big scopes
  • Subdomain Enumeration
  • Fingerprinting
  • Dorking
  • XSS-HTML Injection
  • Improper Authentication
    • JWT Security
  • OAUTH Misconfigurations
    • OAuth 2.0 Basics
    • OAUTH Misconfigurations
  • Broken Access Control
    • Insecure Direct Object References (IDOR)
    • 403 Bypass
  • Broken Link Injection
  • Command Injection
  • CORS
  • CRLF
  • CSRF
  • Host Header Attacks
  • HTTP request smuggling
  • JSON Request Testing
  • LFI
    • LFI to RCE
  • No Rate Limit
  • Parameters Manual Testing
  • Open Redirect
  • Registration & Takeover Bugs
  • Remote Code Execution (RCE)
  • Session Fixation
  • SQL Injection
    • SQL To RCE
  • SSRF
  • SSTI
  • Subdomain Takeover
  • Web Caching Vulnerabilities
  • WebSockets
  • XXE
    • XXE to RCE
  • Cookie Based Attacks
  • CMS
    • AEM [Adobe CMS]
  • XSSI (Cross Site Script Inclusion)
  • NoSQL injection
  • Local VS Remote Session Fixation
  • JavaScript Analysis
  • Protection
    • Security Mechanisms for Websites
    • Cookie Flags
    • SameSite Cookie Restrictions
    • Same-origin policy (SOP)
    • CSP
  • Hacking IIS Applications
  • Dependency Confusion
  • Attacking Secondary Context
  • Hacking Web Sockets
  • IDN Homograph Attack
  • DNS Rebinding Attack
  • LLM Hacking Checklist
  • Bypass URL Filtration
  • Cross-Site Path Traversal (CSPT)
  • PostMessage Security
  • Prototype Pollution
    • Client-Side Prototype Pollution
    • Server-Side prototype pollution
  • Tools-Extensions-Bookmarks
  • WAF Bypassing Techniques
  • SSL/TLS Certificate Lifecycle
  • Serialization in .NET
• ✉️ API-Sec
  • API Recon
  • API Token Attacks
  • Broken Object Level Authorization (BOLA)
  • Broken Authentication
  • Evasive Maneuvers
  • Improper Assets Management
  • Mass Assignment Attacks
  • SSRF
  • Injection Vulnerabilities
  • Excessive Data Exposure
  • OWASP API TOP 10 MindMap
  • Scanning APIs with OWASP ZAP
• 📱 Android-AppSec
  • APK Pentesting Checklist
  • Hacking InsecureBankv2 App
    • Information Gathering
    • Drozer Cheat Sheet
    • Modifying Resource Files Leads to Privilege Escalation
    • Login Backdoor
    • Analyzing SQLite Storage
    • Insecure Logging
    • Exploit Broadcast Receivers
    • Content Provider Exploit
    • Exploiting Weak Cryptography
    • IDOR Leads to ATO
  • Android App Fundamentals
    • Android Architecture
    • Android Security Model
    • Android App Components
      • Intents
      • Pending Intents
  • How To Get APK file for application
  • ADB Commands
  • APK structure
  • Android Permissions
  • Exported Activity Hacking
  • BroadcastReceiver Hacking
  • Content Provider Hacking
  • Signing the APK
  • Reverse Engineering APK
  • Deep Links Hacking
  • SMALI
    • SMALI Cheat Sheet
    • Smali Code Patching Guide
• 📶 Network-Sec
  • Networking Fundamentals
  • Open Ports Security Testing
  • Vulnerability Scanning
  • Client Side Attacks
  • Port Redirection and Tunneling
  • Password Attacks
  • Privilege Escalation [PrevEsc]
    • Linux Privilege Escalation
  • Buffer Overflow (BOF)
    • VulnServer
    • Sync Breez Enterprize
    • Crashed CTF
    • BOF for Linux
  • AV Evasion
  • Post Exploitation
    • File Transfer
    • Maintaining Access
    • Pivoting
    • Clean Up
  • Active Directory
    • Basic AD Pentesting
• 💻 Desktop AppSec
  • Thin Client vs. Thick Client
• ☁️ Cloud Sec
  • Salesforce Hacking
    • Basics
    • Salesforce SAAS Apps Hacking
  • Firebase
  • S3 Buckets Misconfigurations
• 👨‍💻 Programming
  • HTML
  • JavaScript (JS)
    • window.location object
  • Python
    • Python Tips
    • Set
      • SetMethods
  • JAVA
    • Java Essentials
    • Java Essentials Code Notes
    • Java OOP1
    • JAVA OOP Principles
      • Inheritance
      • Method Overriding
      • Abstract Class
      • Interface
      • polymorphism
      • Encapsulation
      • Composition
    • Java OOP Challenges
    • Exception Handling
  • Go
    • Go Syntax Tutorial in one file
    • Methods and Interfaces
    • Go Slices
    • Go Maps
    • Go Functions
    • Concurrency
    • Read Files
    • Write Files
    • Package
      • How to make personal Package
      • regexp Packages
      • Json
      • bufio
      • Time
    • Signals-Exit
    • Unit Testing
• 🖥️ Operating Systems
  • Linux
    • Linux Commands
    • Tools
    • Linux File System
    • Bash Scripting guide
    • tmux
    • Git
    • Install Go tools from private repositories using GitHub PAT
  • VPS
  • Burp Suite
• ✍️ Write-Ups
  • Hunting Methodology
  • API BAC leads to PII Data Disclosure
  • Misconfigured OATUH leads to Pre-Account Takeover
  • Automating Bug Bounty with GitHub Actions
  • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
  • Exploring Subdomains: From Enumeration to Takeover Victory
  • 0-Click Account Takeover via Insecure Password Reset Feature
  • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
  • The Power Of IDOR even if it is unpredictable IDs
  • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
  • AI Under Siege: Discovering and Exploiting Vulnerabilities
  • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
  • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
  • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
  • Decoding Server Behavior: The Key to Mass Account Takeover
  • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management