Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/fardeen-ahmed/Bug-bounty-Writeups

Repository of Bug-Bounty Writeups
https://github.com/fardeen-ahmed/Bug-bounty-Writeups

bugbounty fuzzing penetration-testing security-tools

Last synced: 19 days ago
JSON representation

Repository of Bug-Bounty Writeups

Awesome Lists containing this project

README 

        
Awesome BugBounty 👨‍💻 




  None



This repository can be used as a reference while learning and performing Bug-Bounty hunting 




| Basic Tools | Description |

|-----------|-----|

|  XSSTRON   | Electron JS Browser To Find XSS Vulnerabilities Automatically  |

|  Burpsuite Sharpener  | Extension should add a number of UI and functional features to Burp Suite to make working with it easie |

|  Automate to find IP address | Automate and finds the IP address of a website behind Cloudflare  |

|  Taser  | Python3 resource library for creating security related tooling |

|  Uro  | Using a URL list for security testing can be painful as there are a lot of URLs that have uninteresting/duplicate content; uro aims to solve that. | 

|  Fire  | This is a simple tool meant to work in a pipeline of other scripts. It takes domains on stdin and outputs them on stdout if they resolve |

|  PASTIS  | The PASTIS project is a fuzzing framework aiming at combining various software testing techniques within the same workflow to perform collaborative fuzzing also called ensemble fuzzing. |

|  MCVA  | MetaMask Clickjacking Vulnerability Analysis |

|  Burp Automator  | A Burp Suite Automation Tool. It provides a high level CLI and Python interfaces to Burp Suite scanner and can be used to setup Dynamic Application Security Testing (DAST) |

|  GoWhois  |  Whois command implemented by golang with awesome whois servers list  |

|  Relateddomains  | Find related domains of a given domain |

|  Ciphey  | Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes.|

|  CSPRecon  | Discover new target domains using Content Security Policy |

|  CookieMonster  | This helps you detect and abuse vulnerable implementations of stateless sessions |

|  DNSSEC  | Subdomain Enumeration with DNSSEC |

|  ReconNG  | OSINT Research |

|  Katana  | A nextgeneration crawling and spidering framework. |

|  BurpText4Shell  | Test4shell scanner for Burp Suite. |

|  RUSTSCAN  | THE MODERN PORT SCANNER |

|  Holy FFUF!  | A Beginner Guide to Fuzz with FFUF |

|  GraphQLmap  | This is a scripting engine to interact with a graphql endpoint for pentesting purposes |

| VAmPI  | Vulnerable REST API with OWASP top 10 vulnerabilities for security testing |

|  Clif  | This is a commandline interface (CLI) application fuzzer, pretty much what wfuzz or ffuf are for web. |

|  Ghauri  | This is an advanced crossplatform tool that automates the process of detecting and exploiting SQL injection security flaws |

| DOM Invader  | Introducing DOM Invader, DOM XSS just got a whole lot easier to find |

| JiraLens  | Fast and customizable vulnerability scanner For JIRA written in Python |

|  Urls deduplication  | Urls deduplication tool for better recon. |

|  ZKar  | This is a Java serialization protocol analysis tool implement in Go. |

|  Smap  | This is a dropin replacement for Nmap powered by shodan.io |

|  DumpXSS  | A scanner tool For XSS Vulnerability |

| x8  | Hidden parameters discovery suite written in Rust |

|  Nginxpwner  | This is a simple tool to look for common Nginx misconfigurations and vulnerabilities. |

|  BurpGPT  | A Burp Suite extension that integrates OpenAI's GPT to perform an additional passive scan for discovering highly bespoke vulnerabilities, and enables running trafficbased analysis of any type. |

|  Caido  | Lightweight Web Security Auditing Toolkit |

|  AssetFinder  | A Handy Subdomain and Domain Discovery Tool

| Secret Magpie  | Secret Detection Tool |

|  Designing sockfuzzer  | A network syscall fuzzer for XNU. |

| Proto Find  | Check if your target is vulnerable for client side prototype pollution |

| Protoscan  | Prototype Pollution Scanner made in Golang. |

| BufferPwn  | RCE vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS |

| CRLFuzz  | Hacker Tools: Injecting CRLF for bounties 

|  NFT  | New differential fuzzing tool reveals novel HTTP request smuggling techniques. |

| S3Scanner  | Scan for open S3 buckets and dump the contents. |

|  Kurl  | HTTP Requests for security researchers |

| UDON  | A simple tool that helps to find assets/domains based on the Google Analytics ID. |

| roxify  | Swiss Army knife Proxy tool for HTTP/HTTPS traffic capture, manipulation, and replay on the go |

| revshells  | Online  Reverse Shell Generator |

| S3cret Scanner | Hunting For Secrets Uploaded To Public S3 Buckets |

| HTTPLoot  | An automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and "loot" secrets out of the clientfacing code of sites |

| Cewl  | A Detailed Guide on Cewl |

| hakoriginfinder  | A tool for discovering the origin host behind a reverse proxy. Useful for bypassing WAFs and other reverse proxies |

|  PurplePanda  | Identify privilege escalation paths within and across different clouds |

|  TProxer  | A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF |

| STEWS  | This is a tool suite for security testing of WebSockets |

| Webrecon  |  Automated Web Recon Shell Scripts |

|  ffuf Primer  | More on FFUF |

| Wafme0w  | A fast and lightweight Web Application Firewall fingerprinting tool. |

| Ghauri  | An advanced crossplatform tool that automates the process of detecting and exploiting SQL injection security flaws |

|  Leakos  | Search with gitleaks and trufflehog in the responses of the given URLs or in all the repos of an organization and its members. |

|  Pycript  | This is a Burp Suite extension that enables users to encrypt and decrypt requests for manual and automated application penetration testing. |

|  Gotator  | This is a tool to generate DNS wordlists through permutations. |

| ChopChop  | This is a CLI to help developers scanning endpoints and identifying exposition of sensitive services/files/folders |

| Baserunner | This is a tool for exploring and exploiting Firebase datastores |

| Oralyzer  | This a simple python script that probes for Open Redirection vulnerability in a website. It does that by fuzzing the URL that is provided in the input |

| vAPI  | This is Vulnerable Adversely Programmed Interface which is SelfHostable API that mimics OWASP API Top 10 scenarios in the means of Exercises. |

| FIVERECON  | Use favicon.ico to improve your target recon phase. Quickly detect technologies, WAF, exposed panels, known services. |

| Turbo Intruder  | This Hacker Tool is Going faster than ever! |

| nrich  | A commandline tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities. Can also be fed data from stdin to be used in a data pipeline. |

| Meg  | Endpoint scan the masses! |

| PureDNS  | Subdomain bruteforcing tool that improves massdns to accurately handle wildcard subdomains and DNS poisoning. |

| JWTReauth | A new tool for JWT Reauth issues |

| S3Sec  | Check AWS S3 instances for read/write/delete access |

| Uniscan  | An RFI, LFI, and RCE Vulnerability Scanner |

| Jira Scan  | This is a simple remote scanner for Atlassian Jira. |

| Webpack Exploder  | Unpack the source code of React and other Webpacked Javascript apps! Check out Expanding the Attack Surface. |

| Raider  | Web authentication testing framework |

| Reconator  | Automated Recon for Pentesting & Bug Bounty |

| Log4j2Scan  | Log4j2 RCE Passive Scanner plugin for BurpSuite |

|  WARF  | This is a Web Application Reconnaissance Framework that helps to gather information about the target. |

| GooFuzz  | GooFuzz is a tool to perform fuzzing with an OSINT approach, managing to enumerate directories, files, subdomains or parameters without leaving evidence on the target's server and by means of advanced Google searches (Google Dorking). |

| GradeJS  | This tool analyzes production Webpack bundles without having access to the source code of a website. |

| Waymore  | Find way more from the Wayback Machine! |

| Pastos  | Search pastes in tens of webs in seconds with GCSE. |

| gitlabsubdomains  | Find subdomains on GitLab |

|  Cero  | Scrape domain names from SSL certificates of arbitrary hosts |

| Smap  | Passive Nmap like scanner built with shodan.io |

| CSRF Generator  | This html file creates a csrf poc form to any http request. |

|  Trivy  | A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI |

| Lepus  | This is a tool for enumerating subdomains, checking for subdomain takeovers and perform port scans  and boy, is it fast! |

| subzuf  | subzuf is a subdomain bruteforce fuzzer coupled with an immensly simple but effective DNS reponseguided algorithm. |

| csprecon  | Discover new target domains using Content Security Policy |

| Frogy  | Using the combination of different subdomain enumeration tools and logic this script tries to identify more subdomains and TLDs in recon. |

| xnLinkFinder  | A python tool used to discover endpoints for a given target |

| BLH  | BrokenLinkHijacker is a Fast Broken Link Hijacker Tool written in Python |

| netlas.io  | A new search engine for discover, research and monitor any asset. It is so useful for your #bugbounty recon automation. |

| SecretMagpie  | A secret detection tool that hunts out all the secrets hiding in all your repositories. |

| bbr  | It is an open source tool to aid in command line driven generation of bug bounty reports based on user provided templates. |

| PacketStreamer  | This is a tool for distributed packet capture for cloudnative platforms |

| JSpector  | It is a Burp Suite extension that passively crawls JavaScript files and automatically creates issues with URLs and endpoints found on the JS files |

| Uncover  | Quickly discover exposed hosts using multiple search engines |

| ASNMap  | A Golang CLI tool for speedy reconnaissance using ASN data |

| Go Dork  | The fastest dork scanner written in Go |

| uro  | Declutters url lists for crawling/pentesting |

| ClusterFuzzLite  | Simple continuous fuzzing that runs in CI |

| Gorks  | Google Dorks finally made easy to run without hiding. |

| dnsmonster  | Passive DNS Capture/Monitoring Framework |

| fail2ban  | Remote Code Execution |

| ppfuzz  | Prototype Pollution Fuzzer |

| userefuzz  | UserAgent , XForwardedFor and Referer SQLI Fuzzer |

| Astra  | Astra finds urls, endpoints, aws buckets, api keys, tokens, etc from a given url/s |

|  Cloudlist  | This is a tool for listing Assets from multiple Cloud Providers |

| r2flutch  | A tool to decrypt iOS apps using r2frida |

| Shodan Dorks  | The H4CK3R God’s Eye |

| Gouge  | Gouge is a simple Burp extension to extract or gouge all URLs which are seen in JS files as you visit different websites/webpages in Burp Suite |

| mxtakeover  | This tool focuses DNS MX records and detects misconfigured MX records. |



# General Writeups



| Description |

|-----|

| Miracle  One Vulnerability To Rule Them All |

| Saltzer and Schroeder's 10 secure design principles as applied to solidity smart contracts. |

| Teen hacker scoops $4,500 bug bounty for Facebook flaw that allowed attackers to unmask page admins |

| 400$ Bounty again using Google Dorks |

| Top 10 web hacking techniques of 2020 | PortSwigger Research |

| How Gopher works in escalating SSRFs |

| GCP CloudSQL Vulnerability Leads to Internal Container Access and Data Exposure |

| How to Hack APIs in 2021 |

| Burp Macros: What, Why & How? |

| Setup Your Private Burp Collaborator for SSRF/XXE |

| Experience Burp Suite Enterprise Edition in a new live demo |

| DLL Hijacking using Spartacus, outside of DllMain |

| Cloudflare, Sucuri, Incapsula real IP tracker |

| A Brief Introduction to Prototype Pollution |

| Nuclear Pond |

| OWASP Top 10: Static Analysis of Android Application & Tools Used |

| Chameleon provides better content discovery by using wappalyzer's set of technology fingerprints alongside custom wordlists tailored to each detected technologies |

| Working with a scope using Gowitness |

| What the fuzz?! — The truth behind content discovery |

| Introducing a new way to buzz for eBPF vulnerabilities |

| Remote Code Execution Vulnerability in Azure Pipelines Can Lead To Software Supply Chain Attack |

| Security researcher earns plaudits after discovering Yandex SSRF flaw |

| How I was able to reveal page admin of almost any page on Facebook |

| Shopify Plugin Bypass using P3 Clientside injection thru API Implementation Vulnerability |

| Run all your bug bounty VPN profiles in parallel and expose them via multiple local SOCKS proxies. |

| A tale of zero click account takeover |

| Subdomain Takeover leading to Full Account Takeover |

| Decrypting Mobile App Traffic using AES Killer and Frida |

| CSRF Testing Guide For Bug Bounty Hunters |

| A collection of hacker tools using HackerOne's API |

| Vulnerabilities in exported activity WebView |

| Shell in the Ghost: Ghostscript CVE202328879 writeup |

| Bug Bounty Recon: Horizontal Correlation |

| How I Found multiple SQL Injection with FFUF and Sqlmap in a few minutes |

| How I earned 240$ from a Zero Interface |

| Reverse engineering Flutter for Android + Doldrums (Doldrums is a reverse engineering tool for Flutter apps) |

| Tool Link = _Doldrum Tool_ |

| Top 10 Tips for Burp Suite |

| ServerSide Prototype Pollution Scanner |

| FUFF and SecLists |

| Hell’s Keychain: Supplychain vulnerability in IBM Cloud Databases for PostgreSQL allows potential for unauthorized database access  |

| Improper Privilege Management in Grails Spring Security Core <= 5.1.0 CVE202241923 |

| WAF bypasses via 0days |

| IDOR and APIkeys🔑Token Hardcode Exposed |

| Here's my story about 8 CVEs resulting in a plugin removal and more than $30,000 in bounties! |

| How I fuzz and hack APIs? |

| Prototype pollution like bug variant discovered in Python |

| Bypass firewalls with ofCORs and typosquatting |

| AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass |

| A Different Payload for CVE202247966 |

| Difficulty of Reproducing Old Exploits (Part 1) |

| Difficulty of Reproducing Old Exploits (Part 2) | 

| We discovered major vulnerabilities in Control Web Panel. Here’s how we found them |

| From Shared Dash to Root Bash :: PreAuthenticated RCE in VMWare vRealize Operations Manager |

| Account Take Over Due To AWS Cognito Misconfiguration |

| Discoverability by phone number/email restriction bypass |

| GCP Pentesting Guide |

| Centreon map vulnerability |

| $500 in 5 minutes |

| Internal Gitlab Ticket Disclosure via External Slack Channels |

| 10 Types of Web Vulnerabilities that are Often Missed |

| Ultimate Reconnaissance RoadMap for Bug Bounty Hunters & Pentesters |

| How to Continuously Detect Vulnerable Jenkins Plugins to Avoid a Software Supply Chain Attack |

| Bypassing a Creation Limit on Free Accounts: A Race Condition Vulnerability in Bug Bounty Program |

| Implementing Nuclei into your Bitbucket CI/CD Pipeline for Scanning Live Web Applications |

| How to automate your initial recon and extend ASM using SubScout |

| Pentah0wnage: PreAuth RCE in Pentaho Business Analytics Server |

| Full Company Building Takeover |

| Bad things come in large packages: .pkg signature verification bypass on macOS |

| Parallels Desktop Toolgate Vulnerability |

| Aurora Withdrawal Logic Error Bugfix Review |

| Basic WebAssembly buffer overflow exploitation |

| An attacker can archive and unarchive any structured scope object on HackerOne |

| Modify inflight data to payment provider Smart2Pay |

| Bugs in our Pockets: The Risks of ClientSide Scanning |

| Make recruiting referrals on behalf of employees ($3000) |

| RCE in Avaya Aura Device Services |

| How to win at CORS |

| Prototype Pollution in Python |

| AttachMe: critical OCI vulnerability allows unauthorized access to customer cloud storage volumes  |

| Misconfigured Reset password that leads to Account Takeover (No user Interaction ATO)> |

| 10 CVEs! My Personal Thoughts On Research And CVEs |

| Story about Escalation of HTML Injection to EC2 Instance credentials leak |

| The Blind Exploits To Rule Watchguard Firewalls Vulnerabilities |

| View orders and financial reports lists for any page shop ($500) |

| Testing the Performance of User Authentication Flow |

| Hunting for Prototype Pollution and it’s vulnerable code on JS libraries |

| Governments Across The World Are Mandating Vulnerability Disclosure So Why Are Companies Sitting On Their Hands? |

| If It’s a Feature!!! Let’s Abuse It for $750 |

| Story of my first cash bounty on hackerone |

| How I made it into the United Nations hall of fame as I slept |

| Embedding Payloads and Bypassing Controls in Microsoft InfoPath |

| SSH key injection in Google Cloud Compute Engine (Google VRP) |

| Breaking Bitbucket: Pre Auth Remote Command Execution (CVE202236804) |

| HTTP Parameter Pollution  It’s Contaminated Again |

| Critical Vulnerability in Microsoft Azure Cosmos DB |

| Unusual Cache Poisoning between Akamai and S3 buckets |

| How I hacked one of the biggest Airline in the world |

| Bug Bounty Short Tips as image |

| How I found a bug in Apple within just in 5min |

| Chaining vulnerabilities to criticality in Progress WhatsUp Gold |

| Hijacking Arch Linux Packages by Repo Jacking GitHub Repositories |

| Google SSO misconfiguration leading to Account Takeover |

| How I found my first Chrome bug |

| Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot |

| Reverse Prompt Engineering for Fun and (no) Profit |

| The second part of discovered vulnerabilities in preinstalled apps on Samsung devices |

| Cloud Metadata  AWS IAM Credential Abuse |

| $300 Google API key leaked to Public on Live Website |

| Expect The Unexpected: Discovering fresh ZeroDay for Bounty |

| Securing Developer Tools: A New Supply Chain Attack on PHP |

| CS:GO : From Zero to 0day  |

| How I found a critical P1 bug in 5 minutes using a cellphone — Bug Bounty |

| The DeFi Threat Model |

| SiriSpy  iOS bug allowed apps to eavesdrop on your conversations with Siri |

| How I was able to delete 13k+ Microsoft Translator projects |

| Leaked H1's Employees Email addresses,meeting info on private bug bounty program |

| Hacking the Apple Webcam (again) |

| JavaScript bugs aplenty in Node.js ecosystem – found automatically |

| Bug Bounty FIRE Goals |

| Multiple vulnerability leading to account takeover in TikTok SMB subdomain. |

| Story of my hacking Dutch Government |

| Bypassing CSP with dangling iframes  |

| Finding clientside prototype pollution with DOM Invader |

| GitHub Cache Poisoning |

| The MarkdownTime Vulnerability: How to Avoid This DoS Attack on Business Critical Services |

| Multiple bugs chained to takeover Facebook Accounts which uses Gmail. |

| Earn $200K by fuzzing for a weekend: Part 1 |

| Earn $200K by fuzzing for a weekend: Part 2 |

| CVE202226712: The POC for SIPBypass Is Even Tweetable |

| A Big company Admin Panel takeover $4500 |

| OpenEMR  Remote Code Execution in your Healthcare System |

| CVE20221040 Sophos XG Firewall Authentication bypass |

| You Have One New Appointment: Exploiting iCalendar Properties in Enterprise Applications |

| Fuzzing for Bug Bounty Hunting |

| Hacking the Blockchain: An Ultimate Guide |

| Bounty Evaluation GitHub = $15,000 US Dollars  |

| Gitlab Project Import RCE Analysis (CVE20222185) |

| Joomla! CVE202323752 to Code Execution |

| MSMQ QueueJumper (RCE Vulnerability): An InDepth Technical Analysis |

| A Konami Code for Vuln Chaining Combos |

| Log4shell in google $1337.00  |

| 2 click Remote Code execution in Evernote Android |

| Remote Command Execution via Github import |

| Cacti: Unauthenticated Remote Code Execution |

| New Spring Framework RCE  Vulnerability Confirmed  What to do? |

| Spring Actuator Security, Part 1: Stealing Secrets Using Spring Actuators |

| Spring Actuator Security, Part 2: Finding Actuators using Static Code Analysis with semgrep |

| My First RCE from N/A to Triaged (CVE2021–3064) |

| Gitpod remote code execution 0day vulnerability via WebSockets |

| How I abused the file upload function to get a high severity vulnerability in Bug Bounty |

| RCE via WebDav  Power Of PUT |

| HTTP Desync Attack (Request Smuggling)  Mass Session Hijacking |

| How I Found Multiple Bugs On FaceBook In 1 Month And a Part For My Methodology & Tools |

| Halborn Discovers ZeroDay Impacting Dogecoin and 280+ Networks |

| Local privesc vulnerability in Zoom (for macOS) |

| CVE202241343  RCE via Phar Deserialisation (Dompdf) |

| Cookie Bugs  Smuggling & Injection |

| RCE 0 day for GhostScript9.50 |

| Low hanging fruits on Facebook Group Room |

| Denial of Service via Hyperlinks in Posts |

| Google Trust Services ACME API available to all users at no cost |

| A fresh look at user enumeration in Microsoft Teams |

| How I got access to many PIIs through a source code leak |

| F5 BIGIP Critical Vulnerability Exploited By Attackers To Gain Unauthenticated RCE> |

| WEEKEND DESTROYER  RCE in Western Digital PR4100 NAS |

| The great SameSite confusion |

| Persistent PHP payloads in PNGs: How to inject PHP code in an image – and keep it there ! |

| How “Forgot Password” can cost you your account |

| postMessage Braindump : a brief postMessage testing methodology |

| Subdomain Enumeration Guide 2021  |

| Subdomain Takeover: How a Misconfigured DNS Record Could Lead to a Huge Supply Chain Attack |

| Full account takeover through referral code |

| Information Gathering&scanning for sensitive information |

| Attacking Pixel's Titan M with Only One Byte (CVE202220233) and getting 75,000 USD bounty |

| CI/CD SECRETS EXTRACTION, TIPS AND TRICKS |

| SSD ADVISORY – KERIO MAILBOX TAKEOVER |

| The easiest $2500 I got it from bug bounty program |

| Disclose leads form details of any Facebook Business Account or Facebook Page |

| Multiple Critical Vulnerabilities in Strapi Versions <=4.7.1 |

| EJS, Server side template injection RCE (CVE202229078)  writeup |

| Remote code execution in cdnjs of Cloudflare |

| RCE via unsafe inline Kramdown options when rendering certain Wiki pages |

| MyBB Remote Code Execution Chain |

| Critical Gems Takeover Bug Reported in RubyGems Package Manager |

| Hunting evasive vulnerabilities |

| Ability To Delete User(s) Account Without User Interaction |

| URLs in img tag aren’t safely embedded. ($500) |

| Exploiting GraphQL |

| Low privilege user can read POS PINs via graphql and elevate his privilege |

| That single GraphQL issue that you keep missing |

| CVE20214191: GitLab GraphQL API User Enumeration (FIXED) |

| IDOR in GraphQL Query Leaking Private Photos of a Million $ App |



# OWASP Top 10 WebApplication Issues (Updated)



## Broken Access Control



| Category | Writeup |

|-----------|-----|

| ATO |  Hx01 Abusing Data Protection Laws For D0xing & Account Takeovers |

| IDOR | Access employees files in internal CDNs/ Access users modified/deleted content.($12500) |

| IDOR | Forced Browsing to Access Admin Panel | 

| IDOR | I found IDOR Vulnerability at Microsoft Subdomain |

| IDOR | How I found an IDOR that led to sensitive information leak? |

| Chained | Fuzzing + IDOR = Admin TakeOver |

| ATO | Post Account Takeover? Account Takeover of Internal Tesla Accounts |

| ATO | Account Takeover  Inside The Tenanth |

| RDP | Helping secure BNB Chain through responsible disclosure |

| Account Takeover | How I was able to take over accounts in websites deal with Github as an SSO provider |

| ATO | Account Takeover Worth of $2500 |

| ATO | Firing 8 Account Takeover Methods |

| IDOR | A 7500$ Google sites IDOR |

| ATO | Traveling with OAuth  Account Takeover on Booking.com |

| OAUTH | OTP Bypass Through Response Manipulation |

| ATO | Account Takeover in Canvas Apps served in Comet due to failure in CrossWindowMessage Origin validation |

| IDOR | Unsubscribe any user’s email notifications via IDOR |

| Chained | IDOR leads to leak Private Details |

| IDOR | How I found my first bug (IDOR) |

| Auth Bypass | 23000$ for Authentication Bypass & File Upload & Arbitrary File Overwrite | 

| AI | Hacking AI: System and Cloud Takeover via MLflow Exploit | 

| API | Announcing the deps.dev API: critical dependency data for secure supply chains |

| Chained | IDOR to information disclosure + Admin Account Takeover |

| IDOR | $$$$ IDOR’s — How to find IDORs in Ecommerce sites? |

| ATO | ATO in Canvas Games due to weak cross window message Origin validations ($62,500) |

| Chained | OTP Bypassing and Vulnerabilities from EMail fields. |

| Path Traversal | Path Traversal Paradise | 

| RCE | Detecting and mitigating CVE202242889 a.k.a. Text4shell |

| WAF | Bypassing WAF for $2222 |

| Path Traversal | CVE2019–6238: Apple XAR directory traversal vulnerability |

| Rate Limit | Unique Rate limit bypass worth 1800$ |

| IDOR | $600 for IDOR (File or Folder Download) |

| Podcast | 202  A SNIProxy Bug and a Samsung NPU Double Free |

| IDOR | A Story of IDOR which leads to privacy violation…$$$ |

| IDOR | How I found my first IDOR in HackerOne |

| Access Control | Improper Access Control — My Third Finding on Hackerone! |

| CSRF | Cross site request forgery (CSRF) attack |

| IDOR | How I Get $1350 From IDOR Just Less 1 hours |

| Priv Esc | How I earned $9000 with Privilege escalations |

| IDOR | IDOR in "external status check" API leaks data about any status check on the instance |

| IDOR | 4300$ Instagram IDOR Bug (2022) |

| Chained | How I was able to delete any users’ OAUTH connections via IDOR |

| Chained | Cobalt Pentest Case Study: OAuth Redirect to Account Takeover |

| IDOR | IDOR via GET Request which can SOLD all User Products |

| CORS | Attacking CORS Misconfigurations in Modern Web Apps |

| ATO | Shopify Account Takeover $22,500 Bug Bounty |

| Path Traversal | Weird Google bugs, SAML padding Oracle & Apache path traversal continued |

| HTTP Smuggle | Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond |

| IDOR | $5,000 YouTube IDOR  Bug Bounty Reports Explained  |



## Cryptographic Issues / Bugs



| Category | Writeup |

|-----------|-----|

| Chained | Making HTTP header injection critical via response queue poisoning |

| Cryptographic Failure | SHA3 Buffer Overflow | 

| Crptographic Failure | TCP/IP Vulnerability CVE2022–34718 PoC Restoration and Analysis |

| Cryptographic Failure | The OpenSSL punycode vulnerability (CVE20223602): Overview, detection, exploitation, and remediation |



## Injection Issues / Bugs



| Category | Writeup |

|-----------|-----|

| HHI | Host Header Injection Lead To Account Takeover |

| Regex-I | Regular Expression Injection |

| ESI-I | Exploring the World of ESI Injection |

| R-XSS | Tale of XSS in Angular |

| Stored-XSS | XSS Vulnerability Found in ConnectWise Remote Access Platform With Great Potential For Misuse by Scammers

| R-XSS |Vue JS Reflected XSS

| SQL-I |SQL injection vulnerabilities in Owncloud Android app  CVE202324804, CVE202323948

| PHP-I |Exploiting an Nday vBulletin PHP Object Injection Vulnerability

| DOM-XSS |Finding DOM Polyglot XSS in PayPal the Easy Way 

| Stored-XSS |XSS with Markdown — Exploit & Fix on OpenSource

| Stored-XSS |postMessage XSS in Tesla Payment page 

| DOM XSS |HTML parser bug triggers Chromium XSS security flaw

| DOM-XSS |A $$$ worth of cookies! | Reflected DOMBased XSS | Bug Bounty POC

| Simple XSS |Email platform Zimbra issues hotfix for XSS vulnerability under active exploitation

| SQL-I |CVE202238627: A journey through SQLite Injection to compromise the whole enterprise building

| DOM-XSS |Clipboard DOMbased XSS

| DOM-XSS |Exploiting DOM Based XSS via Misconfigured postMessage() Function

| R-XSS |How I found XSS on Admin Page without login!

| SQL-I |Error based SQL Injection with WAF bypass manual Exploit 100%

| XSS |XSS via X-Forwarded-Host header

| SQL-I |TimeBased SQL Injection to Dumping the Database

| Security Misconfiguration |[1500$ Worth — Slack] vulnerability, bypass invite accept process

| C-I |The Tale of a Command Injection by Changing the Logo

| R-XSS |Reflected Cross Site Scripting (XSS) on one.newrelic.com

| XSS |New XSS vectors

| Cypher-I |The most underrated injection of all time — CYPHER INJECTION. How I found and exploited it && 2000$ bounty !

| Blind-XSS |Blind XSS in app.pullrequest.com/████████ via /reviews/ratings/{uuid}

| Chained |Hacking SwaggerUI  from XSS to account takeovers

| DOM-XSS |How I was able to steal users credentials via Swagger UI DOMXSS

| Stored-XSS |I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS

| Stored-XSS |Stored XSS in markdown via the DesignReferenceFilter

| Stored-XSS |StoredXSS in merge requests

| Rare Case |XSS through base64 encoded JSON 

| Stored-XSS |XSS on account[dot]leagueoflegends[dot]com via easyXDM [2016]

| DOM-XSS |Stumbling across a DOM XSS on google.com

| Stored-XSS |XSS Bug in SEOPress WordPress Plugin Allows Site Takeover

| Chained |Stored XSS to RCE Chain as SYSTEM in ManageEngine ServiceDesk Plus

| C-I |Command Injection in the GitHub Pages Build Pipeline

| Chained |XSS via Mod Log Removed Post

| R-XSS |Reflected XSS Leads to 3,000$ Bug Bounty Rewards from Microsoft Forms

| Chained |Attack surface of extension pages

| Stored-XSS |Stored XSS in Notes (with CSP bypass for gitlab.com)

| XSS |How I found an XSS vulnerability via using emojis

| Stored-XSS |Stored XSS in Google Doubleclick Studio

| SQL-I |Moodle: Blind SQL Injection (CVE202136393) and Broken Access Control (CVE202136397)

| RCE |Orange Arbitrary Command Execution

| SQL-I |How I Found Multiple SQL Injections in 5 Minutes in Bug Bounty

| SQL-I |Finding an unseen SQL Injection by bypassing escape functions in mysqljs/mysql

| Stored-XSS |WordPress 5.8.2 Stored XSS Vulnerability

| Chained |CVE202224948: Apache JSPWiki preauth Stored XSS to ATO

| Stored-XSS |Stored XSS: NonPrivileged User to Anyone Using QR Code

| Chained |Javascript Hoisting in XSS Scenarios

| Stored-XSS |Stored XSS vulnerability in Microsoft booking

| XSS |Palisade identifies Wormable CrossSite Scripting Vulnerability affecting Rarible’s NFT Marketplace

| R-XSS |Tableau Server Leaks Sensitive Information From Reflected XSS

| CSS-I |Unleashing the power of CSS injection: The access key to an internal API

| OGNL-I |CVE202126084,Atlassian Confluence OGNL

| Redash |Exploiting Redash instances with CVE-2021-41192

| Stored-XSS |5000$ for Apple Stored Xss And Another Blind Xss Still under review

| Chained |Web Cache Poisoning leads to Stored XSS

| Stored-XSS |XSS on tiktok.com

| DOM-XSS |DOM-XSS in Instant Games due to improper verifications ($62,500?)

| Stored-XSS |Stored-XSS on wiki pages

| Stored-XSS |Stored XSS via Mermaid Prototype Pollution vulnerability

| U-XSS |UXSS to Account Takeover in Rushbet

| Stored-XSS |Stored XSS at Trello

| DOM-XSS |A Story of DOM XSS

| XSS |Got Another XSS using Double Encoding

| Stored-XSs |SVG based Stored XSS

| XSS |Google Roulette: Developer console trick can trigger XSS in Chromium browsers

| Creative XSS |PostMessage Xss vulnerability on private program

| DOM-XSS |How I found DOMBased XSS on Microsoft MSRC and How they fixed it

| DOM-XSS |DOMXSS in Instant Games due to improper verification of supplied URLs

| DOM-XSS |Winning QR with DOMBased XSS | Bug Bounty POC

| SQL-I |Easy SQLi in Amazon subsidiary using Sqlmap

| SQL-I |Fun sql injection — mod_security bypass/a>

| SQL-I |Exploiting SQL Injection at Authorization token

| SQL-I |Stranger Strings: An exploitable flaw in SQLite

| SQL-I |A 500$ SQL Injection Bug in .IKEA.es — My First Finding on Hackerone!

| SQL-I |Varonis Threat Labs Discovers SQLi and Access Flaws in Zendesk

| Prompt-I |Exploring Prompt Injection Attacks

| C-I |Puckungfu: A NETGEAR WAN Command Injection

  



## Insecure Design 



| Category | Writeup |

|-----------|-----|

| Chained |File Upload to RCE

| Chained |Hunting for Bugs in File Upload Feature

| Param Tampering |HTTP request smuggling bug patched in mitmproxy

| Shift-Left Abuse |Able to steal bearer token from deep link

| Shell |Backdooring Electron Applications

| Shift-Left Abuse |Unsafe content loading [Electron JS]

| ATO |Account Takeover in KAYAK

| Chained |PHP FILTER CHAINS: FILE READ FROM ERRORBASED ORACLE

| Shift-Left Abuse |SAML is insecure by design

| Shift-Left Abuse |Escaping misconfigured VSCode extensions

| Shift-Left Abuse |Trigger custom URL in Medium Android app

| Chained |Add new managed stores without permission

| Microservices |Hacking Microservices For Fun and Bounty

| LFI |Attacking File Uploads in Modern Web Applications

| ATO |Full Account Takeover via Open Redirection 

| FI Bypass |Bypassing File Upload Restriction using Magic Bytes

| Shift-Left failure |Design Flaw : A Tale of Permanent DOS (Informative > Triaged)

| RCE |Bypass IIS Authorisation with this One Weird Trick  Three RCEs and Two Auth Bypasses in Sitecore 9.3

| Chained |OAUTH Misconfiguration leads to Full Account Takeover

| Repo Jacking |Hijacking GitHub Repositories by Deleting and Restoring Them

| Stack Attack |Exploiting CVE-2022-42703  Bringing back the stack attack

| MFA Bypass |Two Factor Authentication Bypass On Facebook

| File Corruption |Arbitrary File Corruption: End  to  End Encrypted Messaging Application

| Chained |CVE-2023-33383 : Authentication Bypass via an outofbounds read vulnerability

| Zero-Day |Hacking a Bank by Finding a 0day in DotCMS

| Server-Side |Let's Dance in the Cache Destabilizing Hash Table on Microsoft IIS!

| Poisoning |Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable

| Path Manipulation |Practical Example Of Client Side Path Manipulation

| Log4J |Finding the next Log4j – OpenSSF’s Brian Behlendorf on pivoting to a ‘riskcentred view’ of open source development

| ATO |Account takeover of Facebook/Oculus accounts due to FirstParty access_token stealing

| Shift-Left failure |Laravel 8.x image upload bypass

| Shift-Left failure |How I Made $16,500 Hacking CDN Caching Servers — Part 1

| Shift-Left failure |How I Made $16,500 Hacking CDN Caching Servers — Part 2

| Shift-Left failure |How I Made $16,500 Hacking CDN Caching Servers — Part 3

| Shift-Left failure |Bypassing default visibility for newlyadded email in Facebook(Part I  Submitting I.D)

| Shift-Left failure |Bypassing default visibility for newly-added email in Facebook(Part II - Trusted Contacts)

| Chained |Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers yearslong attack campaign, and XSS Hunter adds e2e encryption

| Shift-Left Abuse |Slack integration setup lacks CSRF protection

| RCE |Multiple bugs leads to RCE on TikTok for Android

| SID |Leaking Facebook user information to external websites ($2000)



## Security Misconfiguration



| Category | Writeup |

|-----------|-----|

| Password | All about Password Reset vulnerabilities

| Chained | Nothing new under the Sun – Discovering and exploiting a CDE bug chain

| Subdomain Takeover | How I hacked thousand of subdomains

| S3 Recon |S3 Account Search

| RCE |Old RCE worth $3362

| Web-Cache |WebCache Poisoning $$$? Worth it?

| Misconfiguration |How I Scored 1K Bounty Using Waybackurls

| CSRF |All About CSRF Flaw

| Recon + Exploitation |Leaked Secrets and Unlimited Miles: Hacking the Largest Airline and Hotel Rewards Platform

| Misconfiguration |System misconfiguration is the number one vulnerability, at least for Mastodon

| Chained |$10.000 bounty for exposed .git to RCE

| Chained |Account Takeover Due to Cognito Misconfiguration Earns Me €xxxx

| Shift-Left |Converting string to enum at the cost of 50 GB: let's analyze the CVE-2020-36620 vulnerability

| Misconfiguration |Detecting web message misconfigurations for crossdomain credential theft

| RCE |2022 Microsoft Teams RCE

| Chained |XML Security in Java  Java XML security issues and how to address them

| PII |The 100+ Million Person Data Disclosure

| Misconfiguration |The Untold SendBird Misconfigurations  

| Path Traversal |PRACTICAL CLIENT SIDE PATH TRAVERSAL ATTACKS

| Chained |Infosys leaked Full Admin Access AWS keys on PyPi for over a year

| CSRF |CSRF protection bypass in GitHub Enterprise management console

| Request Smuggling |TE.TE HTTP request smuggling obfuscating the TE header

| Domain Takeover |Fastly Subdomain Takeover $2000

| Misconfiguration |Stealing passwords from infosec Mastodon  without bypassing CSP

| Deserialization |UNSERIALIZABLE, BUT UNREACHABLE: REMOTE CODE EXECUTION ON VBULLETIN

| RCE |OpenEMR  Remote Code Execution in your Healthcare System

| Chained |Common Nginx Misconfiguration leads to Path Traversal

| JAVA XML |Gregor Samsa: Exploiting Java's XML Signature Verification

| Bypass |How I got Apple Hall Of Fame !

| Prompt Injection |Prompt injection explained, with video, slides, and a transcript

| POC |Centos Web Panel 7 Unauthenticated Remote Code Execution  CVE202244877

| CORS |CVE-2022-21703: crossorigin request forgery against Grafana

| Multiple |2 CSRF 1 IDOR on Google Marketing Platform

| S.I.D |PHP Development Server <= 7.4.21  Remote Source Disclosure

| Functionality Bug |Lack of URL normalization renders BlockedPreviews feature ineffectual

| Bypass |Bypass Premium Account Payment (GetPocket)

| Chained |Manipulating the WebSocket handshake to exploit vulnerabilities

| Cloud |AWS Targeted by a Package Backfill Attack

| SSPP |Detecting ServerSide Prototype Pollution

| CSRF |CSRF on /api/graphql allows executing mutations through GET requests

| SID|I have Found Microsoft Subdomain Website database list, database username, password 

| File Read |Critical Local File Read in Electron Desktop App

| Prototype Pollution |CVE-2022-46175: JSON5 Prototype Pollution Vulnerability

| ATO |Hijacking accounts with host manipulation using collaborator

| Prototype Polllution |Server-side prototype pollution: Blackbox detection without the DoS

| Misconfiguration |Demographic Misconfiguration on Facebook live 

| RCE |PreAuth RCE in Aspera Faspex: Case Guide for Auditing Ruby on Rails

| Chained |Critical Valve Bug Lets Gamers Add Unlimited Funds to Steam Wallets

| Spoof |How we spoofed ENS domains for $15k

| Cloud |AWS Organizations Defaults

| Dependency Confusion |Basecamp disclosed on HackerOne: Insecure Bundler configuration

| Chained |Exploiting S3 bucket with path folder to Access PII info of A BANK

| Chained |Open Redirect to Account Takeover  

| Chained |Enumerate internal cached URLs which lead to data exposure

| Chained |Open redirect in Instagram.com ($500)

| Redirect |Open Redirect Vulnerability & Some Common Payloads

| BLH |Broken Link hijacking — What it is and how to get bounties with it!

| Recon |A unique method of subdomain enumeration

| Cloud |Exploiting weak configurations in Google Cloud Identity Platform

| Deserialization |VMware vCenter Server Platform Services Controller Unsafe Deserialization vulnerability

| CVE |WordPress XXE Vulnerability in Media Library – CVE-2021-29447 

| CVE |Veeam Backup and Replication CVE-2023-27532 Deep Dive

| Prototype Pollution |A Brief Introduction to Prototype Pollution

| CORS |CORS misconfig that worths USD200

| Insecure Design |Blog posts atom feed of a store with password protection can be accessed by anyone

| Critical |Enzyme Finance Price Oracle Manipulation Bug Fix Postmortem

| Prototype Pollution |Prototype Pollution Primer for Pentesters and Programmers 

| XXE |A Long Story of XXE Vulnerability!!

| Priv Escalation |Pwn2Own Local Escalation of Privilege Category

| RCE |Overwolf 1Click Remote Code Execution CVE-2021-33501

| MFA Bypass |Bypassing Box’s Timebased OneTime Password MFA

| AWS |Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research

| ATO |‘Add yourself as super admin’ – Researcher details easytoexploit bug that exposed GSuite accounts to full takeover

| Critical |Remote Deserialization Bug in Microsoft's RDP Client through Smart Card Extension (CVE202138666) Bounty award: $5,000.

| Confusion |Exploiting URL Parsing Confusion Vulnerabilities

| VA |Vulnerability Analysis with Ghidra Scripting

| Domain Takeover |Subdomain Takeover Via Flywheel

| SID |Github access token exposure

| ATO |How I was able to Takeover Accounts on Foxit.com

| Apple |Hacking Apple: Two Successful Exploits and Positive Thoughts on their Bug Bounty Program

| PP |The Complete Guide to Prototype Pollution Vulnerabilities 

| Chained |2FA Bypass via Forced Browsing

| Chained |Duo Twofactor Authentication Bypass

| Chained |Account Takeover + A Bonus Vulnerability

| Websocket |CrossSite WebSocket Hijacking (CSWSH)

  



## Vulnerable and Outdated Components



| Category | Writeup |

|-----------|-----|

| Outdated Package |Fuzzing Golang msgpack for fun and panic

| Session |Zabbix  A Case Study of Unsafe Session Storage 

| CVE |WSO2 RCE (CVE202229464) exploit and writeup

| Wireless |Vulnerabilities in Tenda's W15Ev2 AC1200 Router

| CVE |Exploiting CVE202242703  Bringing back the stack attack



## Identification and Authentication Issues / Bugs



| Category | Writeup |

|-----------|-----|

| IAM | Improper Authentication  any user can login as other user with otp/logout & otp/login

| JWT |How to test for JWT attacks

| Insecure Design |Bypassed the subscription and got the certification

| BAC |Broken Authentication Login With Google

| IAM |OAUTH2 bearer notchecked for connection reuse

| Bypass |2fa Bypass Using Response Manipulation

| OTP Bypass |OTP bruteforce via rate limit bypass

| Password Flaw |10 Password Reset Flaws

| Chained |Account Takeover via SMS Authentication Flow

| Bypass |Bypassing Login Page in 2 Mins

| RCE |PreAuth RCE in Moodle Part I  PHP Object Injection in Shibboleth Module

| RCE |PreAuth RCE in Moodle Part II  Session Hijack in Moodle's Shibboleth

| Web-Cache |Web Cache Poisoning: A Tale of chaining unkeyed inputs

| JWT |EXPLOITING JSON WEB TOKEN [JWT]

| RCE |Security Advisory: Remote Command Execution in binwalk

| OAuth |OAuth 2.0 Hacking

| Bypass |Researchers Bypass SMSbased MultiFactor Authentication Protecting Box Accounts

| Rate Limit |Trick to bypass rate limit of password reset functionality

| Chained |Exploiting OAuth: Journey to Account Takeover 

| Chained |A tale of 0Click Account Takeover and 2FA Bypass

| Cache Poisoning |Cache Poisoning at Scale



## Software and Data Integrity Failure



| Category | Writeup |

|-----------|-----|

| Software failure |Pwning a Server using Markdown

| Software failure |Admin can create a hidden admin account which even the owner can not detect and remove and do administrative actions on the application.

| XSS |How I found a bug in Apple within just in 5min

| Hypervisor |Huawei Security Hypervisor Vulnerability

| SAML |A Brief Introduction to SAML Security Vector

| Integration failure |Hacking Google Drive Integrations 

| Dependency Confusion |Dependency Confusion

| Race Condition |Race Condition — Resulted in using the feature which was supposed to be obtained after subscription.

| RCE |1click RCE in Electron Applications

| SSCP |Worldwide Serverside Cache Poisoning on All Akamai Edge Nodes ($50K+ Bounty Earned) 

| AWS |A Confused Deputy Vulnerability in AWS AppSync

| AWS |Vulnerability in AWS AppSync allowed unauthorized access to cloud resources

| CMS |Melis Platform CMS patched for critical RCE flaw



## Security Logging and Monitoring

| Category | Writeup |

|-----------|-----|  

| JWT Secret |SSD Advisory – Cisco Secure Manager Appliance jwt_api_impl Hardcoded JWT Secret Elevation of Privilege

| Log Recon |Harvesting Logs for Fun and Profit



  

  

## Server Side Request Forgery

| Category | Writeup |

|-----------|-----| 

| Cloud SSRF |Story of a Google Cloud SSRF

| Bypass SSRF |SSRF: Bypassing hostname restrictions with fuzzing

| Chained |Just Gopher It: Escalating a Blind SSRF to RCE for $15k

| File-based SSRF |FogBugz import attachment full SSRF requiring vulnerability 

| Blind SSRF |A Glossary of Blind SSRF Chains

| Recon SSRF |SSRF vulnerabilities and where to find them

| Chained |Stealing administrative JWT's through post auth SSRF (CVE-2021-22056)

| SSRF |Turning bad SSRF to good SSRF: Websphere Portal

| SSRF |SSRF for kubeapiserver cloudprovider scene

| SSRF |Full read SSRF that can leak aws metadata and local file inclusion (www.evernote.com)

| SSRF |Java RMI services often vulnerable to SSRF attacks – research

| SSRF |Cisco BroadWorks CommPilot Application Software Unauthenticated ServerSide Request Forgery (CVE202220951)

| SSRF |SSRF Attack Examples and Mitigations

| CSPA |Cross Site Port Attack in Wild

| SSRF |Another vision for SSRF

| SSRF |Securing PDF Generators Against SSRF Vulnerabilities

| CMS-SSRF |WordPress Core  Unauthenticated Blind SSRF

| SSRF Recon |Bug Bounty { How I found an SSRF ( Reconnaissance ) }

| Cloud SSRF |Cloud is more fun with an SSRF

| SSRF |Server side prototype pollution, how to detect and exploit

| SSRF |SSRF via DNS Rebinding (CVE-2022–4096)



# Chained Issues / Chained Bugs : 

| Category | Writeup |

|-----------|-----| 

| Chained |A Tale of Open Redirection to Stored XSS



Story of a $1k bounty — SSRF to leaking access token and other sensitive information  



The story of 3 bugs that lead to Unauthorized RCE — Pascom Systems



Bypassing Cloudflare WAF: XSS via SQL Injection

  

CRLF to Account takeover (chaining bugs)



Internet Bug Bounty: High severity vulnerability in Apache HTTP Server could lead to RCE

  

SSRF vulnerabilities caused by SNI proxy misconfigurations

  

Checkmk: Remote Code Execution by Chaining Multiple Bugs (3/3)

  

Exploiting Static Site Generators: When Static Is Not Actually Static

  

Remote Code Execution in Spotify’s Backstage via vm2 Sandbox Escape (CVSS Score of 9.8)  



CVE2022–42710: A journey through XXE to StoredXSS



Abusing JSONBased SQL to Bypass WAF

  

SSD Advisory – Galaxy Store Applications Installation/Launching without User Interaction



Research | Bypass CSRF Protection w/ XSS



RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass

  

Prototype pollution project yields another Parse Server RCE

  

Hijacking service workers via DOM Clobbering

  

PreAuth RCE with CodeQL in Under 20 Minutes

  

CVE202241924  RCE in Tailscale, DNS Rebinding, and You



NodeBB prototype pollution flaw could lead to account takeover

  

NETGEAR NIGHTHAWK R7000P AWS_JSON UNAUTHENTICATED DOUBLE STACK OVERFLOW VULNERABILITY 



The Story of a RCE on a Java Web Application



Bypassing required reviews using GitHub Actions



Achieving Remote Code Execution via Unrestricted File Upload

  

Admin account takeover via weird Password Reset Functionality



Node.js was vulnerable to a novel HTTP request smuggling technique

  

Chaining Path Traversal with SSRF to disclose internal git repo data in a Bank Asset

  

Visual Studio Code Jupyter Notebook RCE

  

Exploiting Arbitrary Object Instantiations in PHP without Custom Classes

  

Browser Exploitation: Firefox OOB to RCE



From XSS to RCE (dompdf 0day)

  

Bypassing Firefox's HTML Sanitizer API



Access private information about SparkAR effect owners who has a publicly viewable portfolio ($1500)



Tagged User Could Delete Facebook Story



Arbitrary file read via the bulk imports UploadsPipeline 



How I Was Able To TakeOver Any Account On One Of Europe's Largest Media Companies

  

Fuzzing the web for mysterious bugs



PreAuth RCE with CodeQL in Under 20 Minutes 

  

Facebook SMS Captcha Was Vulnerable to CSRF Attack

 

Hacking TMNF: Part 1  Fuzzing the game server



Hacking TMNF: Part 2  Exploiting a blind format string



RCE on Starbucks Singapore and more for $5600



Bug Bounty Recon: Vertical Correlation (and the secret to succeeding)



Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution



Sesh Gremlin attack, RCE via password field & Pwning XMLSec for info disclosure and bounties

  

Bypassing Intel DCM’s Authentication by Spoofing Kerberos and LDAP Responses (CVE202233942)



RCE on CS:GO client using unsanitized entity ID in EntityMsg message



Remote Code Execution V1 For iOS 15 sent through airdrop after the device was connected to a trusted host

  

Full Account takeover (ATO) — a tale of two bugs



A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection



  

Chaining an Blind SSRF bug to Get an RCE

  

How I Escalated a TimeBased SQL Injection to RCE



Exploiting Password Reset Poisoning for account takeover and max bounty!

  

CVE202126084 Remote Code Execution on Confluence Servers



CVE202143444 to 43449: Exploiting ONLYOFFICE Web Sockets for Unauthenticated Remote Code Execution

  

Chaining Open Redirect with XSS to Account Takeover



FORD Session token URL lead to Reflected XSS

  

Escalating SSRF to Accessing all user PII information by aws metadata

  

An Out Of Scope domain Leads To a Critical Bug[$1500] 



GraphQL exploitation – All you need to know

  

GraphQL Security Testing Without a Schema

  

GraphQL Batching Attacks: Turbo Intruder

  

IDOR in GraphQL Query Leaking Private Photos of a Million $ App



Header spoofing via a hidden parameter in Facebook Batch GraphQL APIs



  



# Android Application Testing (Methods + Tools)



Getting started with Android Application Security

  

Using an Android emulator for API hacking



Android Penetration Testing Cheat Sheet 



Android Penetration Testing: Frida 



APKHunt  static code analysis tool for Android apps that is based on the OWASP MASVS framework



Frida script to bypass common methods of sslpining Android



ByPass SSL Pinning with IP Forwarding | iptables

  

It's all about Bypassing Android SSL Pinning and Intercepting Proxy Unaware applications.



SameSite cookie bypass on Android by redirecting to to intentpicker with PoC code ($5,000 bounty)

  

Insecure deeplink leads to sensitive information disclosure



How to Write Frida Hook For Android



Facebook android webview vulnerability : Execute arbitrary javascript (xss) and load arbitrary website 



Android Component Security



Reconator  Automated Recon for Pentesting & Bug Bounty



Facebook Messenger for Android indirect thread deletion vulnerability



Keybase App Vulnerability: Incomplete Cleanup of Messages In Keybase for Android/iOS  CVE202134421

  

Exploiting Request forgery on Mobile Applications



Stepbystep guide to reverse an APK protected with DexGuard using Jadx

  

Android security guides, roadmap, docs, courses, writeups, and teryaagh

  

TikTok for Android 1Click RCE

  

10 Vulnerable Android Applications for beginners to learn Android  hacking

  

Android security checklist: WebView

  

Mobile MitM: Intercepting your Android App Traffic On the Go



Mobile Bug Bounty Hunting? Enter BLE



Set Up an Android Hacking Lab for $0 

  

MOBILE PENTESTING 101 – BYPASSING BIOMETRIC AUTHENTICATION

  

Chaining bugs in Telegram for Android app to steal sessionrelated files  

  

Intercept Flutter traffic on iOS and Android (HTTP/HTTPS/Dio Pinning)



Android security checklist: theft of arbitrary files

  

Basics on commands/tools/info on how to assess the security of mobile applications

  

Advanced SQL Injection Cheatsheet : A cheat sheet that contains advanced queries for SQL Injection of all types.

  

Discovering vendorspecific vulnerabilities in Android

  

Accidental $70k Google Pixel Lock Screen Bypass 



Mobile App Scanner to Find Security Vulnerabilities

  

Pixel6: Booting up (part 1)

  

Pixel 6 bootloader: Emulation, ROP (part 2)

  

Pixel 6 Bootloader: Exploitation (part 3)

  

Instagram vulnerability : Turn off all type of message requests using deeplink (Android)



# IOS Application Testing (Methods + Tools)



iOS Penetration Testing Cheat Sheet 



iOS Hacking  A Beginner's Guide to Hacking iOS Apps [2022 Edition]



iOS jailbreak dev wins $2M bounty for finding critical Optimism bug



Hacking the Apple Webcam (again)



Exploring iOS Applications with Frida and Objection: Basic Commands for Pentesting

  

Insecure deeplink leads to sensitive information disclosure

  

How to Reverse Engineer and Patch an iOS Application for Beginners:

  

Reverse Engineering the Apple MultiPeer Connectivity Framework 

  

CVE202232929  Bypass iOS backup's TCC protection

  

Hyperpom: An Apple Silicon Fuzzer for 64bit ARM Binarie

  

CVE202241622 and CVE202241800 (FIXED): F5 BIGIP and iControl REST Vulnerabilities and Exposures  

  

CVE202232929  Bypass iOS backup's TCC protection

  

Bypass Apple’s redirection process with the dot (“.”) character



# Guide To Penetration Testing tools (Beginner + Intermediate + Advanced tools and techniques)



Top 10 Tips for Burp Suite



Burp Suite Extensions: Rarely Utilized but Quite Useful



Burp Suite  solving Email and SMS TAN multifactor authentication with Hackvertor custom tags



Finding CSRF Vulnerabilities with BurpSuite



HTTP Signatures: A Burp Suite Extension Implementing HTTP Signatures



Burp Suite roadmap for 2021



Browser powered scanning in Burp Suite



Learn how to write a Burp Suite extension in Kotlin – Setting up



Using Intruder to Brute Force Authorization Header



CaA  BurpSuite Collector and Analyzer 



x8 Hidden parameters discovery suite



Params — Discovering Hidden Treasure in WebApps



A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudoinfinite IPs for web scraping and brute forcing.



Make JSON greppable! gron transforms JSON into discrete assignments to make it easier to grep for what you want and see the absolute 'path' to it.



Life’s a Peach (Fuzzer) How to Build and Use GitLab’s OpenSource Protocol Fuzzer



# Jenkins Vulnerabilities



Notes about attacking Jenkins servers



# API Security Testing 

A Case Study of API Vulnerabilities



What is BOLA? 3digit bounty from Topcoder ($$$)



New Cosmos Blockchain API DoS



Using an Undocumented Amplify API to Leak AWS Account IDs



Trigger custom URL in Medium Android app

  

How to Exploit Public Firebase Realtime Database using REST API

  

Microsoft Dynamics Container Sandbox RCE via Unauthenticated Docker Remote API 20,000$ Bounty 

  

Compromising Plesk via its REST API



Missing Bricks: Finding Security Holes in LEGO APIs

  

  

  

# Web 3.0 Writeups 

Exploiting Web3’s Hidden Attack Surface: Universal XSS on Netlify’s Next.js Library

  

The Rise of Web 3.0 Security

  

RCE on admin panel of web3 website

  

  

  

# BlockChain Security

ChainWalker is a smart contract scraper which uses RCP/IPC calls to extract the information



Blocksec CTFs  A curated list of blockchain security Wargames, Challenges, and Capture the Flag (CTF) competitions and solution writeups

  

Hunting For Mass Assignment Vulnerabilities Using GitHub CodeSearch and grep.app

  

Velas Infinite Mint Vulnerability Writeup

  

  

  

# IOT Security (Writeups + Security)

  

  Xiongmai IoT Exploitation

  Turning Google smart speakers into wiretaps for $100k



# CheatSheets for Cybersecurity 

BigQuery SQL Injection Cheat Sheet



  

# Famous Checklists 

  Galaxy Bug Bounty : Tips and Tutorials for Bug Bounty and also Penetration Tests

  

  



# Extra Practicing Labs (Critical Vulnerabilities) :

Spring RCE vulnerability reproduction environment 



PoC  Spring Core RCE 0day Vulnerability 

  

# Car Hacking Writeups 

  How I hacked my car (2021 Hyundai Ioniq SEL) : Part 1

  

  How I hacked my car (2021 Hyundai Ioniq SEL) : Part 2

  

  How I hacked my car (2021 Hyundai Ioniq SEL) : Part 3

  

  Reverse engineering an EV charger

  

  We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.

  

  Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More

  

  More Car Hacking

  

# A.I Based Security research writeups :

  ChatGPT — Bug Bounty Recon Automation



# Security Podcast :

  Exploiting VMware Workstation and the Return of CSG0Days