https://github.com/pascalschulz/Infosec-Resources

just a little treasure chest of stuff I need to watch / read later
https://github.com/pascalschulz/Infosec-Resources

Last synced: 2 months ago
JSON representation

just a little treasure chest of stuff I need to watch / read later

• Host: GitHub
• URL: https://github.com/pascalschulz/Infosec-Resources
• Owner: pascalschulz
• Created: 2019-03-26T20:59:59.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2021-03-26T07:37:44.000Z (almost 4 years ago)
• Last Synced: 2024-08-03T18:16:31.968Z (6 months ago)
• Size: 20.5 KB
• Stars: 31
• Watchers: 4
• Forks: 13
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-cybersec - infosec-resources

README

        
# Infosec Resources

This is a try to create a comprehensive list of good write-ups and tools for specific vulnerablitiies. 

## Attack Guidance

### OAuth

 * https://research.nccgroup.com/2020/07/07/an-offensive-guide-to-the-authorization-code-grant/

 

### CRLF Injection

 * https://hackerone.com/reports/79552 

 * https://hackerone.com/reports/66386 

 * https://hackerone.com/reports/36105 

 * https://hackerone.com/reports/39181 

 * https://hackerone.com/reports/66257 

 * https://hackerone.com/reports/67386 

 * https://hackerone.com/reports/15492

 

### Cross-Site-Scripting

 * http://lcamtuf.coredump.cx/postxss/

 * https://html5sec.org/

 * https://aem1k.com/aurebesh.js/

 

### CSP 

 * https://blog.innerht.ml/csp-2015/

### Sensitive Information Disclosure

 * https://github.com/cure53/HTTPLeaks

 

### URL Redirection

 * https://medium.com/bugbountywriteup/cvv-2-open-redirect-213555765607

 

### Subdomain Takeover

 * https://www.hackerone.com/blog/Guide-Subdomain-Takeovers

 

### SSTI (Server-Side Template Injection)

 * https://portswigger.net/blog/server-side-template-injection

 * https://speakerdeck.com/owaspmontreal/workshop-server-side-template-injection-ssti

 * https://www.lanmaster53.com/2016/03/09/exploring-ssti-flask-jinja2/

 * https://www.lanmaster53.com/2016/03/11/exploring-ssti-flask-jinja2-part-2/

 * https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html

 * https://hackerone.com/reports/125980

 

### SSRF (Server-Side Request Forgery)

 * http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html

 * https://sethsec.blogspot.com/2015/12/exploiting-server-side-request-forgery.html

 * http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf

 * https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF

 * http://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/

 * https://www.bishopfox.com/blog/2016/02/burp-collaborate-listen-pentester-reviews-latest-burp-suite-addition/

 * https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit

 * https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb

 

### SQL Injection 

 * https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2019/march/did-you-order-a-sql-injection/

 

### CSRF (Cross-Site-Request Forgery)

 * https://resources.infosecinstitute.com/bypassing-csrf-protections-fun-profit/#gref

 

### CSS Injection

 * https://www.netsparker.com/blog/web-security/private-data-stolen-exploiting-css-injection/

 * https://portswigger.net/blog/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss

 * https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b

 

### HTTP Parameter Pollution

 * https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/

 

### Deserialization 

 * https://github.com/frohoff/ysoserial

 * https://book.hacktricks.xyz/pentesting-web/deserialization

### RCE

 * https://www.revshells.com/

 

 

## Tech-Stack

### Electron Apps

 * https://spaceraccoon.dev/open-sesame-escalating-open-redirect-to-rce-with-electron-code-review

## Cheat-Sheets

### API Hacking

 * https://dsopas.github.io/MindAPI/play/

 

## Reconnaissance

 

### Bug Bounty

 * https://www.offensity.com/de/blog/just-another-recon-guide-pentesters-and-bug-bounty-hunters/

 

## Tools

### Reconnaissance

 * https://github.com/1N3/Sn1per

 

### Bug Bounty Framework

 * https://github.com/pry0cc/axiom

 * https://blog.yeswehack.com/yeswerhackers/the-pwning-machine/

 

## Blogs

### Web Application Security

 * https://blog.innerht.ml/

## Methodologies

### Bug Finding

 * https://docs.google.com/presentation/d/1p8QiqbGndcEx1gm4_d3ne2fqeTqCTurTC77Lxe82zLY/edit#slide=id.p

## Youtube

### Web Application Hacking

 * https://www.youtube.com/watch?v=Casj9ly3XAk&feature=youtu.be

 * https://www.youtube.com/watch?v=Qw1nNPiH_Go

 * https://www.youtube.com/watch?v=C4ZHAdI8o1w

 * https://www.youtube.com/watch?v=Y80drEt_TVQ

### Random Videos

 * https://www.youtube.com/watch?v=RBoI0sSBeDo

## Technical Challenges

### File Transfer

 * https://file-downloads.com/

## Further Lists

### Write-Ups

 * https://pentester.land/list-of-bug-bounty-writeups.html