Merge pull request #14 from AshF0x/master

March Update

README.md

@@ -6,18 +6,19 @@ There are a number of new hackers joining the community on a regular basis and m
 
 We understand that there are more resources other than the ones we have listed and we hope to cover more resources in the near future!<br>
 
-## Current Version: 2020.02 
+## Current Version: 2020.03 
 
 [Changelog: See what's new!](/assets/changelog.md) 📣
 
 ---
 ## Table of Contents
 
-1. [Basics](/assets/basics.md)
-2. [Setup](/assets/setup.md)
-3. [Tools](/assets/tools.md)
-4. [Labs & Testing Environments](/assets/labs.md)
-5. [Vulnerability Types](/assets/vulns.md)
-6. [Mobile Hacking](/assets/mobile.md)
-6. [Blog posts & Talks](/assets/blogposts.md)
-7. [Media Resources](/assets/media.md)
+- [Basics](/assets/basics.md)
+- [Setup](/assets/setup.md)
+- [Tools](/assets/tools.md)
+- [Labs & Testing Environments](/assets/labs.md)
+- [Vulnerability Types](/assets/vulns.md)
+- [Mobile Hacking](/assets/mobile.md)
+- [Smart Contracts](/assets/smartcon.md)
+- [Blog posts & Talks](/assets/blogposts.md)
+- [Media Resources](/assets/media.md)

assets/blogposts.md

@@ -21,6 +21,7 @@ A collection of Blog Posts ordered by Vulnerability Types
 - [GraphQL](#GraphQL)
 - [RCE](#RCE)
 - [Recon](#Recon)
+- [Smart Contracts](#Smart-Contracts)
 - [Misc](#Misc)
 ---
 ## XSS
@@ -70,7 +71,7 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
 ## Mobile
 ### iOS
 - [From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13](https://spaceraccoon.dev/from-checkra1n-to-frida-ios-app-pentesting-quickstart-on-ios-13) - spaceraccoon
-## Android
+### Android
 - [A deep dive into reversing Android pre-Installed apps](https://github.com/maddiestone/ConPresentations/blob/master/Blackhat2019.SecuringTheSystem.pdf) and the [BlackHat Talk](https://www.youtube.com/watch?v=U6qTcpCfuFc) - Maddie Stone
 
 ## HTTP Desync
@@ -107,6 +108,11 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
 ## Recon
 - [Subdomain Recon Using Certificate Search Technique](https://www.r00tpgp.com/2020/01/subdomain-recon-using-certificate.html?m=0)
 - [Notes about Nahamsecs Recon Sessions](https://mavericknerd.github.io/knowledgebase/nahamsec/recon_session_1/) - [maverickNerd](https://github.com/maverickNerd)
+- [10 Recon Tools For Bug Bounty](https://medium.com/@hackbotone/10-recon-tools-for-bug-bounty-bafa8a5961bd) - Anshuman Pattnaik
+
+## Smart Contracts
+- [Steal collateral during `end` process, by earning DSR interest after `flow](https://hackerone.com/reports/672664)(Listed as Business Logic Error)
+- [Steal all MKR from `flap` during liquidation by exploiting lack of validation in `flap.kick`](https://hackerone.com/reports/684152)(Listed as Improper Input Validation)
 
 ## Misc
 - [Hacking GitHub with Unicode's dotless 'i'](https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/)

assets/changelog.md

@@ -6,6 +6,39 @@ Updates to this repo will be pushed monthly. You can read about the latest chang
 
 ---
 
+## Update 2020.03
+### Added
+- New: [Smart Contracts](/assets/smartcon.md) (special thanks to [@0xatul](https://twitter.com/0xatul))
+    - New White-/yellowpapers in [Smart Contracts](/assets/smartcon.md): 
+    **Bitcoin whitepaper & Ethereum yellowpaper**
+    - New **How to Audit a Smart Contract** 
+- New Smart Contracts Category under [Blogposts](/assets/blogposts.md#Smart-Contracts) and added two Writeups
+- New in [Blogposts](/assets/blogposts.md): 
+    - **10 Recon Tools for Bug Bounty**
+- New in [Setup](/assets/setup.md): 
+    - **Finding your First Bug and getting a Bounty with InsiderPhD**
+    - **Introduction to Docker for CTFs**
+- New in [Vulnerabilities](/assets/vulns.md):
+    - **Finding your first Bug - CSRF**
+    - **CSRF-Basics**
+- New in [Tools](/assets/tools.md): 
+    - **Knockpy**
+- New in [Labs](/assets/labs.md):
+    - **0l4bs for XSS**
+- New in [Mobile](/assets/mobile.md):
+    - **Q&A with Android Hacker bagipro**
+    - **Introduction to Android Hacking**
+    - **Mobile Hacking Cheat Sheet**
+    - **Android Pentesting Github Repo by [Riddhi Shree](https://github.com/riddhi-shree)**
+
+### Changed
+- Nothing
+### Fixed
+- Format Issue in [Changelog](/assets/changelog.md)
+- Changed Format in [README](/assets/README.md)
+
+
+---
 ## Update 2020.02
 ### Added
 - New XSS Lab: **XSS Labs from PwnFunction**
@@ -19,7 +52,7 @@ Updates to this repo will be pushed monthly. You can read about the latest chang
 - New Vulnerabilities Post: **The 7 main XSS cases everyone should know**
 - Added Jason Haddix to [Media](/assets/media.md) (contributed by [securibee](https://github.com/securibee))
 
-## Changed
+### Changed
 - Moved **Notes about Nahamsecs Recon Sessions** from [Misc](/assets/blogposts.md#Misc) to [Recon](/assets/blogposts.md#Recon)
 
 ### Fixed

assets/labs.md

@@ -12,6 +12,7 @@
 - [Google Gruyere](https://google-gruyere.appspot.com/)
 - [Web Security Academy by PortSwigger](https://portswigger.net/web-security)
 - [XSS Labs from PwnFunction](https://xss.pwnfunction.com/) Great Labs in a beautiful layout
+- [0l4bs - Cross-site scripting labs for web application security enthusiasts](https://github.com/tegal1337/0l4bs) - by tegal1337
 
 ---
 back to [Intro Page](/README.md)

assets/mobile.md

@@ -7,9 +7,15 @@ Since there are quite a lot of people asking for Beginner Guides to Mobile Hacki
 - [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
 - [iOS Application Security](http://amzn.to/2d9yo7m)
 - [From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13](https://spaceraccoon.dev/from-checkra1n-to-frida-ios-app-pentesting-quickstart-on-ios-13) - by spaceraccoon
+- [The Mobile Hacking CheatSheet](https://github.com/randorisec/MobileHackingCheatSheet) - Randorisec
+- [Introduction to Android Hacking ](https://www.hackerone.com/blog/androidhackingmonth-intro-to-android-hacking) - [@0xteknogeek](https://twitter.com/0xteknogeek)
+- [Android Pentesting](https://github.com/riddhi-shree/nullCommunity/tree/master/Android) (Github repo containing hands-on training content for conducting Android app pentesting using some of the common Android pentesting tools)
 
 ## Tools
 Tools specific for mobile hacking can be found [here](/assets/tools.md#mobile-hacking).
 
+## Misc
+- [Q&A With Android Hacker bagipro](https://www.hackerone.com/blog/AndroidHackingMonth-qa-with-bagipro)
+
 ---
 back to [Intro Page](/README.md)

assets/setup.md

@@ -8,6 +8,8 @@ This section will help you set up your testing environement.
 - [Docker For Pentesting And Bug Bounty Hunting](https://www.youtube.com/watch?v=5G6tA8Q9AuQ)
 - [Basics of UNIX](https://lifehacker.com/5633909/who-needs-a-mouse-learn-to-use-the-command-line-for-almost-anything)
 - [Previously Disclosed Vulnerabilities / HackerOne Hacktivity](https://hackerone.com/hacktivity)
+- [Finding your First Bug and Getting a Bounty - Personal Story by @InsiderPhD](https://www.youtube.com/watch?v=iEDoIEBD7gM) - YouTube Discussion
+- [Introduction to Docker for CTFs](https://www.youtube.com/watch?v=cPGZMt4cJ0I) (Works for Bug Bounty too) - by LiveOverflow
 
 ## Burp Suite
 This section should help you get familiar with BurpSuite.

assets/smartcon.md

@@ -0,0 +1,10 @@
+# Resources-for-Beginner-Bug-Bounty-Hunters
+
+## Smart Contracts 📜
+
+### Bitcoin whitepaper & Ethereum yellowpaper - cruicial to undestand how those work:
+- [Bitcoin whitepaper](https://bitcoin.org/bitcoin.pdf)
+- [Ethereum yellowpaper](https://ethereum.github.io/yellowpaper/paper.pdf)
+- [How to Audit a Smart Contract](https://blockgeeks.com/guides/audit-smart-contract/) - Blockgeeks
+---
+back to [Intro Page](/README.md)

assets/tools.md

@@ -34,6 +34,8 @@ Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
 |[Osmedeus](https://github.com/j3ssie/Osmedeus)|Fully automated offensive security framework for reconnaissance and vulnerability scanning|Python|[j3ssie](https://github.com/j3ssie)|
 |[hakrawler](https://github.com/hakluke/hakrawler)|hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application. It can be used to discover Forms, Endpoints, Subdomains, Related documents and JS Files|Go|[@hakluke](https://twitter.com/hakluke)|
 |[Reconness](https://github.com/reconness)|A Web App Tool to Run and Keep all your #recon in the same place.|C#|[@reconness](https://twitter.com/reconness)|
+|[Kockpy](https://github.com/guelfoweb/knock)|A python tool designed to enumerate subdomains on a target domain through a wordlist|Python|[@guelforweb](http://twitter.com/guelfoweb)|
+
 
 #### OSINT Webpages
 | Name 	| Description 	    | Created by   |

assets/vulns.md

@@ -20,6 +20,8 @@ As we start to build this repository, we'll be adding more vulnerability types a
 
 ## Cross-Site Request Forgery (CSRF)
 - [Cross-Site Request Forgery Attack](https://www.youtube.com/watch?v=eWEgUcHPle0) - by PwnFunction
+- [CSRF-Basics](https://princetechhavenz.wordpress.com/2019/12/11/csrf-basics/) - by Princethilak
+- [Finding Your First Bug: Cross-Site Request Forgery](https://www.youtube.com/watch?v=ULvf6N8AL2A) - by Insider PhD
 
 ## XML External Entities (XXE)
 - [XML External Entities ft. JohnHammond](https://www.youtube.com/watch?v=gjm6VHZa_8s) - by PwnFunction