Medium-Bookmarks.md

MediumBookmarks

Organizando os bookmarks que acumulei no Medium

• Bug Bounty
  • Recon
  • Mobile
  • API Test
  • WriteUps
    • IDOR
    • SQLi
    • XSS
    • SSRF
    • CSRF
    • CRLF
    • XXE
    • RCE
    • Open Redirection
    • Race Conditions
    • Subdomain Takeover
    • HTTP Request Smuggling
    • Information Disclosure
    • Misconfiguration
    • Others
• CTF
• Pentesting
• Certifications
• Linux
• Hackthebox Writeups
• Forensic

Web

• Entendendo o CORS — Parte 1
• Entendendo o CORS — Parte 2
• Understanding CORS
• How CORS (Cross-Origin Resource Sharing) Works?
• Hacking It Out: When CORS won’t let you be great
• Think Outside the Scope: Advanced CORS Exploitation Techniques
• A Noob Guide to setup your Own OOB DNS Server
• GraphQL — Common vulnerabilities & how to exploit them
• Content-Security-Policy (CSP) Bypass Techniques
• Hacking the Web With Fiddler
• Bypass OTP using http header.
• Abusing feature to steal your tokens

Bug Bounty

• Getting started in Bug Bounty
• Bug Bounty Hunting Tips #1— Always read the source code
• Bug Bounty Hunting Tips #6 — Simplify
• The Hitchhiker’s Guide to Bug Bounty Hunting Throughout the Galaxy. v2
• BUG BOUNTY HUNTING (METHODOLOGY , TOOLKIT , TIPS & TRICKS , Blogs)
• Collection Of Bug Bounty Tip-Will Be updated daily
• Bug Bounty Toolkit
• Bug Bounty — The Learning Mindset
• Bounty Hunters Only!
• Grey Areas of Bugbounty World:
• Web Application Security & Bug Bounty (Methodology, Reconnaissance, Vulnerabilities, Reporting)
• Fuzzing Web Applications
• Bug Bounty with Bash
• Hacking WebSocket
• Pwn Them All #BugBounty
• Hunting Good Bugs with only
• Getting access to disabled/hidden features with the help of Burpsuite Match and Replace settings
• ✈️Use Telegram bot as a Penetration Testing Framework
• Phases of an NMAP scan
• Host-Header Injection Simplify | Bug Bounty Hunting !
• Fuzzing — where is the logic?
• Crossing The Borders : The illegal trade of HTTP requests
• Five easy steps to understand JSON Web Tokens (JWT)
• Breaking the Competition (Bug Bounty Write-up)
• The Bugs Are Out There, Hiding in Plain Sight
• BugBounty TIPS + Tools (continuously updated)
• Mastering the Skills of Bug Bounty
• My first accepted bug report!
• Collection Of Bug Bounty Tip-Will Be updated daily
• Bounty Tip !! Easiest way to bypass API’s Rate Limit.
• BugBounty types — HTML injection via email
• Bug Bounty Hunting Tips #5 — Aim to Become World-Class in Your Niche
• Bounty Tip : How to Push Injection through JSON/XML stubs for API
• HOW TO GET STARTED IN BUG BOUNTY (9+pro tips)
• Bug Bounty Methodology (TTP- Tactics, Techniques, and Procedures) V 2.0
• My Bug Bounty Journey & Ranking 1st in U.S. DoD & Achieving top 100 hackers in 1 year

RECON

• Reconnaissance: a eulogy in three acts
• Subdomains Enumeration: what is, how to do it, monitoring automation using webhooks and centralizing your findings
• Automated monitoring of subdomains for fun and profit — Release of Sublert
• What tools I use for my recon during
• How To Do Your Reconnaissance Properly Before Chasing A Bug Bounty
• Recon done right
• Recon — my way.
• Reconnaissance to a quick P1
• How does my recon win $250 in 15 minutes
• Different Approaches For Reconnaissance — Bug Bounty’s
• Automated Host Recon, Persistence and Exfiltration
• Automating URL Reconnaissance in Web Applications Bug Bounty Hunting with Google Dorker Tool
• Privilege Escalation with simple recon
• Fasten your Recon process using Shell Scripting
• Recon like a boss! Automation using “Shell Scripting”
• Gathering domains/subdomains with IPRanges of organization
• “Practical recon techniques for bug hunters & pen testers” at LevelUp 0x02
• How “Recon” helped Samsung protect their production repositories of SamsungTv, eCommerce / eStores
• Recon Everything
• Recon As You Owns It | Cyberverse
• How to Hack Your Neighbor with a Post-It Note, Part 1 (Performing Recon)
• Beginner’s Guide to recon automation.
• OSINT Recon Great? — Unique Usernames Are Better Than Unique Passwords
• REST framework Admin Panel bypass and how I recon for this vulnerability
• Advanced Recon Automation (Subdomains) case 1
• NMAP CHEAT-SHEET (Nmap Scanning Types, Scanning Commands , NSE Scripts)
• Subdomain Enumeration Tools Evaluation
• Shodan, entre banners e filtros
• Discovering The Hidden Web
• Fuzz Faster with FFUF
• Quick Guide to Using ffuf with Burp Suite
• Web Application Hacking Introduction — Mapping the Application
• Spend more time doing recon, you’ll find more BUGS.

Mobile

• Full Account Takeover (Android Application)
• Analyzing WhatsApp Calls with Wireshark, radare2 and Frida
• How i got 7000$ in Bug-Bounty for my Critical Finding.
• My First Bug Bounty From Bug Bounty Platform redstorm.io

WriteUps

IDOR

• Top 25 IDOR Bug Bounty Reports
• Accidental IDOR that Deleted Admin Account.
• My Bug Hunting Journey with IDORs Part 2
• A Less Known Attack Vector, Second Order IDOR Attacks
• IDOR IN JWT AND THE SHORTEST TOKEN YOU WILL EVER SEE {}.{“uid”: “1234567890”}
• How to find more IDORs
• 1st Bounty Story | Rewarded 300$ (IDOR)
• IDOR leads to getting Access tokens of users linked to Google Drive on Edmodo
• Automating BURP to find IDORs
• GraphQL IDOR leads to information disclosure
• Account takeover using IDOR and the misleading case of error 403.
• Stories Of IDOR
• Maybe the manager Is Hacker (IDOR)?
• BUG IDOR APPS MISTERALADIN
• A Less Known Attack Vector, Second Order IDOR Attacks
• A Simple IDOR to Account Takeover
• IDOR to Account Takeover
• Attention to Details : Finding Hidden IDORs
• IDOR in session cookie leading to Mass Account Takeover
• #Bugbounty- “How I was able to see other users Payments in a travel application” — IDOR #800$
• How I Earn 250000 IDR From ClickJacking

SQLi

• Blind SQL Injection
• Blind SQL Injection without an “in”
• SQL Injection Via Stopping the redirection to a login page
• Security: Preventing SQL Injection (SQLi)
• Learn SQL Injection by Ethically Hacking a Rails App
• Interesting case of SQLi
• How to write custom tamper scripts for sqlmap
• How i got easy $$$ for SQL Injection Bug
• Sql Injection via hidden parameter

XSS

• Top 25 XSS Bug Bounty Reports
• Get Reflected XSS within 3 minutes
• Сookie-based XSS exploitation | $2300 Bug Bounty story
• Reflect XSS in JS File on Subdomain (redacted.redacted.com)
• 3 Minutes & XSS!
• XSS in Edmodo within 5 Minute (My First Bug Bounty)
• Hunting methodology and experience of my First Stored XSS on Edmodo.com
• 900$ XSS in yahoo ( Recon Wins )
• XSS for Dummies — Injection Attack Series
• Multiple xss in *.skype.com
• Multiple xss in *.skype.com (2)
• CVE-2020-5842 Stored XSS Vulnerability in Codoforum 4.8.3
• XSS on Sony subdomain
• Stored XSS on Snapchat
• Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty
• BUG BOUNTY: How I earned $550 in less than 5 minutes. “Open Redirect chained with rXSS”
• Bounty Tip- Open redirection escalated further into an XSS !!
• Blind Xss (A mind game to win the battle)
• How I turned Self XSS to Stored via CSRF
• Roubo de sessão bypassando WAF com XSS — Roubando sessão com 1 click
• Bypass Uppercase filters like a PRO (XSS Advanced Methods)
• Sleepy Puppy Extension for Burp Suite
• 5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!)
• How I found a stored XSS on thousands of webshops
• How I Found XSS By Searching In Shodan
• How I paid 2$ for a 1054$ XSS bug + 20 chars blind XSS payloads
• Open Redirect to XSS
• SSRF dan STORED-XSS Pada Situs Translator Maker
• XSS in pastebin.com and reddit.com via unsanitized Markdown Output
• XSS “403 forbidden” bypass write up
• How to Upgrade Your XSS Bugs from Medium to Critical
• What do Netcat, SMTP and self XSS have in common? Stored XSS
• What is Cross-Site Scripting
• Attacking Sites Using CSRF
• SQL Injection and XSS: What White Hat Hackers Know About Trusting User Input
• Stealing JWTs in localStorage via XSS
• XSS-Auditor — the protector of unprotected
• Clobbering the clobbered — Advanced DOM Clobbering
• PostMessage Xss Fuzz using Chrome App
• XSS in bootstrap data-target attribute
• Unicode vs WAF — XSS WAF Bypass .
• From Reflected XSS to Account Takeover — Showing XSS Impact
• Stored XSS on Edmodo
• How i was able to bypass strong xss protection in well known website. (imgur.com)
• bypass XSS in redirection
• XSS — Cross Site Scripting
• Blind XSS for beginners
• How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)
• [XSS] Reflected XSS Bypass Filter
• Story Of a Stored XSS Bypass
• New technique to find Blind-XSS
• [FUN] Bypass XSS Detection WAF
• Self XSS to Account Takeover
• Reflected XSS on Microsoft.com via Angular Js template injection
• XsS Back Button - I Can See You From Behind
• Arbitrary Parentheses-less XSS
• XSS on a JIRA Subdomain.
• Reflected Cross Site Scripting on REDACTED Program (Bounty: 750$)
• XSS in Microsoft subdomain

SSRF

• SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1
• Vimeo SSRF with code execution potential.
• How i found an SSRF in Yahoo! Guesthouse (Recon Wins)
• How i converted SSRF TO XSS in jira.
• Server-Side Request Forgery (SSRF) Attacks - Part 1: The basics
• My First CSRF to Account Takeover worth $750
• Exploiting an SSRF: Trials and Tribulations
• SSRF - Server Side Request Forgery (Types and ways to exploit it) Part-1
• SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-2
• SSRF — Server Side Request Forgery (Types and ways to exploit it) Part-3
• SSRF on PDF generator.
• Blind SSRF - Sentry Misconfiguration
• Exploiting SSRF in RethinkDB
• SSRF (Server Side Request Forgery) worth $4,913 | My Highest Bounty Ever !
• Bug Bounty tip Automating SSRF
• $10000 Facebook SSRF (Bug Bounty)

CSRF

• My First CSRF to Account Takeover worth $750
• Lack of CSRF token validation at server side
• How I CSRF’d My First Bounty!
• How I exploit the JSON CSRF with method override technique
• CSRF(Cross-site Request Forgery Attack) and ways to combat it in Rails
• Cross Site Request Forgery (CSRF)

CRLF

• Cross Site Request Forgery: Techniques
• CRLF Injection Playbook

XXE

• Top 25 XXE Bug Bounty Reports
• XML External Entity (XXE) Injection Payload List
• Very cool XXE bug in a Web Service
• RCE via Apache Struts2 - Still out there.
• $5,005 worth vulnerability Duplicated, How I loose $5,005 in a day? Denial of Service - Billion LAUGH Attack (XXE)
• Exploiting XML External Entity (XXE) Injections
• Hacking XML Data
• Out of Band XXE Injection Via gopher
• XXE Attacks— Part 1: XML Basics
• XXE Attacks — Part 2: XML DTD related Attacks
• XXE on Windows system …then what ??
• Unique XXE to AWS Keys journey
• Out of Band XXE in an E-commerce IOS app

RCE

• Top 25 RCE Bug Bounty Reports
• Simple Remote Code Execution Vulnerability Examples for Beginners
• My First RCE (Stressed Employee gets me 2x bounty)
• A Not-So-Blind RCE with SQL Injection
• Remote Image Upload Leads to RCE (Inject Malicious Code to PHP-GD Image)
• Remote Code Execution - Explaination, Writeups and Tools.
• RoCET — Remote Code Execution Tool
• How an Instagram’s Story drives me to a Remote Code Execution.
• TOP 21 Remote Code Execution Exploit’s #RCE #InTheWild
• Remote Code Execution — Gaining Domain Admin due to a typo
• Jenkins RCE PoC or simple pre-auth remote code execution on the Server.
• How I exploited an arbitrary code execution vulnerability in fast-redact
• REMOTE CODE EXECUTION ! 😜 Recon Wins
• The Karamba Product Security Blog: Remote Code Execution
• Backdoor Exploration of Webmin Remote Code Execution Vulnerabilities (CVE-2019–15107)
• Drupal Core Remote Code Execution Vulnerability: CVE-2019–6340
• Rooting Nagios Via Outdated Libraries
• PHPMyAdmin 4.8.0 ~ 4.8.1 Remote Code Execution
• Dell KACE K1000 Remote Code Execution — the Story of Bug K1–18652
• Interspire Email Marketer 6.20< Remote Code Execution via Upload Files
• Übersicht Remote Code Execution, Spotify takeover
• Two Easy RCE in Atlassian Products
• RCE in Jira(CVE-2019–11581)
• Magento Web Exploit Case Studies
• From Recon to Optimizing RCE Results - Simple Story with One of the Biggest ICT Company in the World
• Data exfiltration over DNS with Remote Code Execution
• Arbitrary code execution on Facebook for Android through download feature
• Apache Tomcat Deserialization of Untrusted Data RCE (CVE-2020–9484)
• How I hacked Facebook: Part One

Open Redirection

• 1000$ for Open redirect via unknown technique [BugBounty writeup]

Race Conditions

• Top 25 Race Condition Bug Bounty Reports
• Hacking Banks With Race Conditions

Subdomain Takeover

• Subdomain takeover and prevention using Knockpy
• Sub-Domain Takeovers — How Can Companies Better Secure Their Assets? Part 1
• How to do 55.000+ Subdomain Takeover in a Blink of an Eye
• Subdomain Takeover — New Level
• How i bought my way to subdomain takeover on Tokopedia
• Pantheon Subdomain Takeover
• How we Hijacked 26+ Subdomains
• How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes
• How I could make more then 1.700 Subdomains Takeover on Amazon S3 in few minutes
• How I takeover subdomain by claim unclaimed s3 bucket
• How Recon helped me to to find a Facebook domain takeover
• SubDomain TakeOver ~ Easy WIN WIN

HTTP Request Smuggling

• Earn Bounty !! with HTTP request smuggling attack.
• The Powerful HTTP Request Smuggling 💪

Information Disclosure

• All about Information disclosure
• How I get my first SWAG from SIDN (Sensitive Data Expose)
• Easily leaking passenger information on an Airline
• Page Admin Disclosure via an Upgraded Page Post
• Page Admin Disclosure | Facebook Bug Bounty 2019
• Disclosure of Facebook Page Admin due to insecure tagging behavior
• Internal Information Disclosure using Hidden NTLM Authentication
• API secret key Leakage leads to disclosure of Employee’s Information
• Simple Logic: Leads to account takeover.
• Information Disclosure via Misconfigured AWS to AWS Bucket Takeover
• FFUF and my first bounty
• Private Dashboards were accessible by other Admins in Analytics Dashboard
• From Recon to P1 (Critical) — An Easy Win
• Recon to Sensitive Information Disclosure in Minutes
• Information Disclosure User Account Edmodo
• Story of a weird vulnerability I found on Facebook
• How to Escalate from HTML Injection to Data Steal
• Public and secret api key leaked in JavaScript source
• How I Found The Facebook Messenger Leaking Access Token Of Million Users

Misconfiguration

• How I earned $1,500 in just 15 mins due to Amazon S3 bucket misconfiguration?
• Fun with Amazon S3— Leaks and bucket takeover attack
• AWS NS Takeover

OTHERS

• CORS Misconfiguration Leads To Steal Sensitive Information Disclosure
• Bypassing CORS
• SOP Bypass
• CORS Misconfiguration leading to Private Information Disclosure
• Exploitation of CORS(Cross Origin Resource Sharing) on Edmodo
• CORS Misconfiguration to Account TakeOver [Out of scope to grab items In-Scope]
• Broke limited scope with a chain of bugs (tips for every rider CORS)
• Fun With CORS Misconfiguration — II
• Pre-domain wildcard CORS Exploitation
• Edmodo — IDOR to view private files of any class
• How I was able to get your facebook private friend list [Responsible Disclosure]
• Information Disclosure - WordPress CMS
• The unexpected bounty: A story of Zendesk takeover on REDACTED.com
• Facebook Vulnerability: Hidden “Community Manager” in Pages due to “Invitation Accept” logic
• Password Reset Token Leak Via Referrer
• How I was able to take over any users account with host header injection
• Hacking Git Directories
• GOOGLE REFERER LEAK BUG
• TOYOTA’s Password reset token and Email Address leak via Referer header
• Facebook Bug bounty Story: $X000 for an Information Disclosure Bug
• How I earn $500 from Razer open S3 bucket
• Full Account Takeover (Android Application)
• How I was able to takeover the company’s LinkedIn Page
• Finding a P1 in one minute with Shodan.io (RCE)
• Finding a P2 in two minutes with Shodan.io
• Tale of Account Takeovers (Part-1)
• Broken session management leads to bypass 2FA and Permanent access to Facebook user’s
• How I bypassed the OTP verification process? Part - 3
• My Weirdest Bug Bounty — Getting PII from O365.
• An Unexpected Bounty — Email Bounce Issues
• Using Vulnerability Analytics Feature Like a Boss
• Account Takeover Via Modifying Email ID — Codeigniter Framework
• Yet Another .NET deserialization
• The Wondeful World of OAuth: Bug Bounty Edition
• How I got my first BUG on BugCrowd
• Full Account Takeover By Guessing Token In Verizon Media
• Web Cache Poisoning in Postmates [$1500]
• #BugBounty — Adding Money Using Response Modification
• How I Accidentally Got My First Bounty From Facebook
• Firefox: How a website could steal all your cookies
• How to get easy $$$ from bug bounty ( Web Parameter Tampering )
• An often overlooked Oauth misconfiguration.
• Chaining Multiple Requests to Achieve Rate Limiting Vulnerabilities

CTF

• Beginner’s Guide to CTFs

Pentesting

• Intro to Metasploit
• Intro to Nmap
• Back to Basics -> Junior pentester tips and methodology

Certifications

• My OSCP Journey — 30–03–2020

Linux

• The Bash Scripting Tutorial, Part 1
• Creating new bash commands and aliases
• How to Create Productive Bash Command Aliases

Hackthebox Writeups

• Hack The Box — FriendZone Writeup w/o Metasploit
• Hack The Box — Safe Writeup w/o Metasploit
• DevOops — An XML External Entity (XXE) HackTheBox Walkthrough
• Hack The Box — Forest Writeup w/o Metasploit
• Hacking through the Forest! Pwning Active Directory — HTB
• HacktheBox — Forest
• HacktheBox — Postman
• An OSCP journey without using METASPLOIT — HTB BASHED #1
• An OSCP journey without using METASPLOIT — HTB Nibbles#2

Forensic

• Memory Analysis For Beginners With Volatility Coreflood Trojan: Part 1