June Update

README.md

@@ -6,7 +6,7 @@ There are a number of new hackers joining the community on a regular basis and m
 
 We understand that there are more resources other than the ones we have listed and we hope to cover more resources in the near future!<br>
 
-## Current Version: 2020.05 
+## Current Version: 2020.06 
 
 [Changelog: See what's new!](/assets/changelog.md) 📣
 
@@ -28,4 +28,6 @@ We understand that there are more resources other than the ones we have listed a
 - [Mindset & Mental Health](/assets/health.md)
 
 ---
-If you have more questions or suggestions, come the [Discord Server](https://discord.gg/9jZxjQ5) of nahamsec !
+If you have more questions or suggestions, check our [NahamSec's Discord](https://discord.gg/9jZxjQ5)!<br>
+Also, feel free to check out the other resources:
+- Nahamsec on [YouTube](https://www.youtube.com/channel/UCCZDt7MuC3Hzs6IH4xODLBw) and on [Twitch](https://www.twitch.tv/nahamsec)

assets/basics.md

@@ -9,7 +9,7 @@
 3. [Networking basics](#Networking-basics)
 4. [Programming Basics](#Programming-Basics)
 5. [Automation](#Automation)
-
+6. [Computing Fundamentals](#Computing-Fundamentals)
 
 ### Stanford CS 253 Web Security
 
@@ -84,6 +84,11 @@ You are welcome to skip this section if you think you’ll never need any automa
    - http://www.sqlcourse.com/
    - https://en.wikibooks.org/wiki/Programming_Fundamentals/Advanced_Flowcharting
 
+### Computing Fundamentals 
+- [Hopper's Roppers Computing Fundamentals](https://www.hoppersroppers.org/course.html)
+	- This free course teaches the absolute basics of Linux, hardware, networking, operating systems, and scripting. Designed to get  a complete beginner over the first big learning hurdles and so they can move on to anything else and succeed.
+- [Exeter Q-Step Resources](https://exeter-qstep-resources.github.io/)
+   - Here, you will find a range of teaching materials that have been developed by members of the Q-Step Centre. If you have any questions, please contact l.brace@exeter.ac.uk or qstep@exeter.ac.uk. Details of Q-Step workshops and events can be found at https://socialsciences.exeter.ac.uk/q-step/events.
 
 ---
 back to [Intro Page](/README.md)

assets/blogposts.md

@@ -32,6 +32,7 @@ A collection of Blog Posts ordered by Vulnerability Types
 - [How to Set up Certificate-Based SSH for Bug Hunting](https://medium.com/@c0ldbr3w/how-to-set-up-certificate-based-ssh-for-bug-hunting-bonus-ef4af95fca05) - by Mack Staples
 - [XSS in Google Colaboratory + CSP bypass](https://blog.bentkowski.info/2018/06/xss-in-google-colaboratory-csp-bypass.html) by Michał Bentkowski
 - [Zseano’s notes on hacking & mentoring](https://blog.intigriti.com/2020/04/29/bug-business-3-zseanos-notes-on-hacking-mentoring/) by Intigriti & Zseano
+- [MY BUG BOUNTY JOURNEY!](https://www.youtube.com/watch?v=ug7FzoByLFc) by Farah Hawa
 ## XSS
 You can find a ton of awesome XSS reports by searching through the HackerOne Hacktivity Page (https://hackerone.com/hacktivity?querystring=XSS). Here are some more complex and some of my favorite XSS related blog posts:
 
@@ -43,6 +44,8 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
 - [Reflected XSS in https://blocked.myndr.net](https://hackerone.com/reports/824433) - Thilakesh
 - [Google Bug Bounty Writeup- XSS Vulnerability](https://pethuraj.com/blog/google-bug-bounty-writeup/) - [@itsmepethu](https://twitter.com/itsmepethu)
 - [How to solve the INTIGRITI Easter XSS challenge using only Chrome Devtools](https://www.youtube.com/watch?v=IhPsBMBDFcg) - by STÖK
+- [Found Stored Cross-Site Scripting — What’s Next? — Privilege Escalation like a Boss](https://medium.com/bugbountywriteup/found-stored-cross-site-scripting-whats-next-privilege-escalation-like-a-boss-d-8fb9e606ce60) - by Harsh Bothra
+- [Bypassing WAF to perform XSS](https://medium.com/bugbountywriteup/bypassing-waf-to-perform-xss-2d2f5a4367f3) - by Kleitonx00
 
 
 ### DOM XSS
@@ -64,6 +67,7 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
 - [Piercing The Veil: Server Side Request Forgery Attacks On Internal Networks](https://peertube.opencloud.lu/videos/watch/40f39bfe-6d3c-40f5-bcab-43f20944ca6a)<br>- Alyssa Herrera | Hack.lu 2019
 - [Vimeo upload function SSRF](https://medium.com/@dPhoeniixx/vimeo-upload-function-ssrf-7466d8630437) - Sayed Abdelhafiz
 - [Piercing the Veal](https://medium.com/@d0nut/piercing-the-veal-short-stories-to-read-with-friends-4aa86d606fc5) - by d0nut
+- [MY EXPENSE REPORT RESULTED IN A SERVER-SIDE REQUEST FORGERY (SSRF) ON LYFT](https://www.nahamsec.com/posts/my-expense-report-resulted-in-a-server-side-request-forgery-ssrf-on-lyft) - by nahamsec
 
 
 ## Vulnerability Scanning
@@ -82,6 +86,7 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
 - [Finding SQL injections fast with white-box analysis — a recent bug example](https://medium.com/@frycos/finding-sql-injections-fast-with-white-box-analysis-a-recent-bug-example-ca449bce6c76?) - [@frycos](https://twitter.com/frycos)
 - [How we hacked one of the worlds largest Cryptocurrency Website](https://strynx.org/insecure-crypto-code-execution/) - [strynx](https://strynx.org/)
 - [Blind SQL Injection on windows10.hi-tech.mail.ru](https://hackerone.com/reports/786044) - Просто душка (api_0)
+- [How to Hack Database Links in SQL Server!](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/) - Antti Rantasaari
 
 ## Mobile
 ### iOS
@@ -124,12 +129,14 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
 
 ## RCE
 - [My First RCE (Stressed Employee gets me 2x bounty)](https://medium.com/@abhishake100/my-first-rce-stressed-employee-gets-me-2x-bounty-c4879c277e37) - [Abhishek Yadav](https://medium.com/@abhishake100)
+- [How dangerous is Request Splitting, a vulnerability in Golang or how we found the RCE in Portainer and hacked Uber](https://medium.com/@andrewaeva_55205/how-dangerous-is-request-splitting-a-vulnerability-in-golang-or-how-we-found-the-rce-in-portainer-7339ba24c871) - by Andrewaeva
 
 ## Recon
 - [Subdomain Recon Using Certificate Search Technique](https://www.r00tpgp.com/2020/01/subdomain-recon-using-certificate.html?m=0)
 - [Notes about Nahamsecs Recon Sessions](https://mavericknerd.github.io/knowledgebase/nahamsec/recon_session_1/) - [maverickNerd](https://github.com/maverickNerd)
 - [10 Recon Tools For Bug Bounty](https://medium.com/@hackbotone/10-recon-tools-for-bug-bounty-bafa8a5961bd) - Anshuman Pattnaik
 - [Recon: Create a methodology and start your subdomain enumeration](https://failednuke.info/2020/recon-create-a-methodology-and-start-your-subdomain-enumeration/) - by FailedNuke
+- [THEY SEE ME SCANNIN’, THEY HATIN’: A BEGINNER’S GUIDE TO NMAP](https://securityqueens.co.uk/they-see-me-scannin-they-hatin-a-beginners-guide-to-nmap/) - by Sophia (https://twitter.com/SecQueens)
 
 ## Smart Contracts
 - [Steal collateral during `end` process, by earning DSR interest after `flow](https://hackerone.com/reports/672664)(Listed as Business Logic Error)
@@ -149,7 +156,8 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
 - [Top 10 web hacking techniques of 2019](https://portswigger.net/research/top-10-web-hacking-techniques-of-2019) by [James Kettle](https://twitter.com/albinowax)
 - [Understanding Search Syntax on Github](https://help.github.com/en/github/searching-for-information-on-github/understanding-the-search-syntax#exclude-certain-results) by Github
 - [URL link spoofing (Slack)](https://hackerone.com/reports/481472) by Akaki Tsunoda (akaki)
-- [Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts](https://samcurry.net/abusing-http-path-normalization-and-cache-poisoning-to-steal-rocket-league-accounts/) by Sam Curry 
+- [Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts](https://samcurry.net/abusing-http-path-normalization-and-cache-poisoning-to-steal-rocket-league-accounts/) by Sam Curry
+- [The Secret sauce of bug bounty](https://medium.com/bugbountywriteup/the-secret-sauce-of-bug-bounty-bdcc2e2d45af) by Mohamed Slamat
 
 
 ---

assets/changelog.md

@@ -4,6 +4,53 @@
 
 Updates to this repo will be pushed monthly. You can read about the latest changes below.
 
+---
+## ___Update 2020.06___
+### Added
+- [Blogposts & Disclosed Reports](/assets/blogposts.md):
+    - **THEY SEE ME SCANNIN’, THEY HATIN’: A BEGINNER’S GUIDE TO NMAP** - by Sophia
+    - **How dangerous is Request Splitting, a vulnerability in Golang or how we found the RCE in Portainer and hacked Uber** - by Andrewaeva
+    - **Found Stored Cross-Site Scripting — What’s Next? — Privilege Escalation like a Boss** - by Harsh Bothra
+    - **How to Hack Database Links in SQL Server!** - by Antti Rantasaari
+    - **The Secret sauce of bug bounty** - by Mohamed Slamat
+    - **MY EXPENSE REPORT RESULTED IN A SERVER-SIDE REQUEST FORGERY (SSRF) ON LYFT** - by nahamsec
+    - **MY BUG BOUNTY JOURNEY!** - by Farah Hawa
+    - **Bypassing WAF to perform XSS** - by Kleitonx00
+- [Labs](/assets/labs.md):
+    - **Will it CORS?**
+- [Coding](/assets/coding.md):
+    - **Linux Beginner Boost**
+- [Media](/assets/media.md):
+    - **rwxrob** as a streamer
+    - **ChaosComputerClub Germany Media Resources** under Misc
+    - **@ZephrFish** in Twitter List
+    - **@CalumBoal** in Twitter List
+    - **@_superhero1** in Twitter List
+    - **CRE** in Podcasts
+    - **Phrack** in Misc
+    - **CCC Luxembourg Podcast** in Podcasts
+- [Tools](/assets/tools.md):
+    - **KeyHacks** in the Scanner section<br>
+    - **Notion** in the Notes section<br>
+    - **Joplin** in the Notes section<br>
+    - **Xmind** in the Notes section<br>
+    - **SpiderFoot** in the Recon section
+    - **Axiom** in the Notes section
+    - **webhook** in Misc
+    - **requestcatcher** in Misc
+    - **canarytokens** in Misc
+    - **Nmap command helper** in Scanner
+- [Mindset & Mental Health](/assets/health.md):
+    - **Happy Hacking**
+- [Basics](/assets/basics.md)
+    - **Computing Fundamentals**
+    - **Exeter Q-Step Resources**
+
+    - **Setup bugbounty hunting env on termux** - by @hahwul
+### Changes
+
+### Fixes
+
 ---
 ## ___Update 2020.05___
 ### Added

assets/coding.md

@@ -16,6 +16,7 @@ TL,DR: ___Python___ and ___Bash___ are really good skills to have and start out
 - [Subdomain Enumeration Script](https://twitter.com/Sin_Khe/status/1242785016884625409)
 - [ShellCheck](https://www.shellcheck.net/) - for finding Bugs in your Shell Scripts
 - [Bug Bounty with Bash](https://medium.com/cyberverse/bug-bounty-with-bash-438596ff72f5) - by Aditya Soni
+- [Linux Beginner Boost](https://rwx.gg/) - by [rwxrob](https://www.twitch.tv/rwxrob)
 ### Learning Platforms
 - [Exercism](https://exercism.io/) - "Code Practice and Mentorship.."
 - [CodeCademy](https://www.codecademy.com/)

assets/health.md

@@ -7,6 +7,7 @@ Bug Bounties is a task that can be very challenging and competitive and it can a
 (Thanks STÖK for putting out great videos regarding this point)
 Getting in the right Mindset:
 - [Mental Hacking 4 Better Bounties:](https://youtu.be/roVg_wgGgxQ) by STÖK
+- [Happy Hacking:](http://phrack.com/issues/68/7.html#article) Phrack Volume 0x0e, Issue 0x44, Phile #0x07 of 0x13
 
 
 ---

assets/labs.md

@@ -17,6 +17,7 @@
     - Videos: [TryHackMe! Basic Penetration Testing](https://www.youtube.com/watch?v=xl2Xx5YOKcI) // [TryHackMe! EternalBlue/MS17-010 in Metasploit](https://www.youtube.com/watch?v=s6rwS7UuMt8) // [TryHackMe! OhSINT - METADATA & Research](https://www.youtube.com/watch?v=oF0TQQmFu4w)
 - [Cyberseclabs](https://www.cyberseclabs.co.uk/)
 - [Kontra Application Security Training](https://application.security/free-application-security-training)
+- [Will it CORS?](https://httptoolkit.tech/will-it-cors/) | Tell this magic CORS machine what you want, and it'll tell you exactly what to do
 
 ---
 back to [Intro Page](/README.md)

assets/media.md

@@ -8,6 +8,7 @@ Here you find listings to useful media creations that can help beginners in diff
 - [Podcasts](#Podcasts)
 - [Books](#Books)
 - [Twitter](#Twitter)
+- [Misc](#Misc)
 ---
 
 ## Youtube Channels
@@ -21,6 +22,7 @@ Here you find listings to useful media creations that can help beginners in diff
 - [PwnFunction](https://www.youtube.com/PwnFunction) explanatory videos about Web App vulnerabilities
 - [DEFCONConference](https://www.youtube.com/user/DEFCONConference/videos) - Tons of Talks from Defcon.
 - [Jason Haddix](https://www.youtube.com/channel/UCk0f0svao7AKeK3RfiWxXEA) - VODs of his Stream
+- [rwxrob](https://www.twitch.tv/rwxrob) - Linux God
 
 ## Streamers
 - [Nahamsec](https://www.twitch.com/nahamsec) on Twitch
@@ -38,6 +40,9 @@ Here you find listings to useful media creations that can help beginners in diff
 - [The Bug Bounty Podcast](https://open.spotify.com/show/3yTTlfXH1avrI3FsXZyCpv) by Fisher
     - [Episode 3 with nahamsec](https://anchor.fm/bugbountypodcast/episodes/Episode-3-ft--NahamSec-ebl392)
 - [Bug Hunter Podcast](https://anchor.fm/bughunter)
+- [CRE](https://cre.fm/) German Podcast - CRE ist ein unregelmäßig erscheinender Interview-Podcast mit Tim Pritlove zu Themen aus den Bereichen Technik, Kultur und Gesellschaft.
+    - [CRE197 IPv6](https://cre.fm/cre197-ipv6) Episode revolving around IPv6
+- [CCC Luxembourg Podcast](http://wiki.c3l.lu/doku.php?id=projects:entr0py_encore) Luxembourgish Podcast from CCC Lux.
 
 ## Books
 - [Real-World Bug Hunting](https://www.amazon.com/Real-World-Bug-Hunting-Field-Hacking/dp/1593278616) by [Peter Yaworski](https://twitter.com/yaworsk)
@@ -120,7 +125,13 @@ The following list does not exclusively contains Bug Bounty themed Accounts but
 | [@yaworsk](https://twitter.com/yaworsk)                 | BB, Researcher, Author                                                       |
 | [@yeswehack](https://twitter.com/yeswehack)             | BB, Platform                                                                 |
 | [@zseano](https://twitter.com/zseano)                   | BB, Teaching                                                                 |
+| [@ZephrFish](https://twitter.com/ZephrFish)             | BB,Researcher                                                                |
+| [@CalumBoal](https://twitter.com/CalumBoal)             | Pentester, Software dev, Coder                                               |
+| [@_superhero1](https://twitter.com/_superhero1)         | Streamer, Content Creator, BB                                                |
 
 
+## Misc
+ - [ChaosComputerClub Germany Media Resources](https://media.ccc.de/) - bunch of conference talks and other media
+ - [Phrack](http://www.phrack.org/)
 ---
 back to [Intro Page](/README.md)

assets/setup.md

@@ -12,6 +12,7 @@ This section will help you set up your testing environement.
 - [Introduction to Docker for CTFs](https://www.youtube.com/watch?v=cPGZMt4cJ0I) (Works for Bug Bounty too) - by LiveOverflow
 - [Docker Tutorial for Beginners - A Full DevOps Course on How to Run Applications in Containers](https://www.youtube.com/watch?v=fqMOX6JJhGo) - freecodecamp
 - [Creating Wordlists for Pentesting & Bug Bounty](https://www.youtube.com/watch?v=QGbTaxtEQlg) - by nahamsec
+- [Setup bugbounty hunting env on termux](https://www.hahwul.com/2020/05/setup-bugbounty-hunting-env-on-termux-d.html?m=1) - by @hahwul
 ## Burp Suite
 This section should help you get familiar with BurpSuite.
 - [Setting up Burp (Video Series)](https://www.hacker101.com/playlists/burp_suite) by Hacker101

assets/tools.md

@@ -49,6 +49,7 @@ Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
 |[Knockpy](https://github.com/guelfoweb/knock)|A python tool designed to enumerate subdomains on a target domain through a wordlist|Python|[@guelforweb](http://twitter.com/guelfoweb)|
 |[crithit](https://github.com/codingo/crithit)|Takes a single wordlist item and tests it one by one over a large collection of hosts before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.|C++|[codingo](https://github.com/codingo)|
 |[nuclei](https://github.com/projectdiscovery/nuclei)|"Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use."|Go|[ProjectDiscovery](https://github.com/projectdiscovery)|
+|[SpiderFoot](https://github.com/smicallef/spiderfoot)|SpiderFoot is an OSINT automation tool that queries over 100 data sources to build up a complete profile of your target, from host enumeration, to breached e-mail addresses and more.|Python|[SpiderFoot](http://twitter.com/spiderfoot)|
 
 
 #### OSINT Webpages
@@ -70,9 +71,6 @@ Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
 
 
 
-
-
-
 ### Exploitation
 | Name 	| Description 	    | Written in    | Created by   |
 |------	|-------------    	| ------------  |------------- |
@@ -82,6 +80,8 @@ Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
 |------	|-------------    	| ------------  |------------- |
 |[Nmap](https://nmap.org)|A well known and powerful Tool for port scanning. Nmap provides the possibility to use scripts to further customize its functionality. |C, C++, Python, Lua|Gordon Lyon|
 |[Masscan](https://github.com/robertdavidgraham/masscan)|This is an Internet-scale port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second, from a single machine.|C|Robert David Graham|
+|[KeyHacks](https://github.com/streaak/keyhacks)|Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.|/|streaak|
+|[Nmap command helper](https://competent-goldberg-e5eefe.netlify.app/)|A tool that helps you with nmap commands. Has a build in training feature to help memorizing them.||0x0n0x|
 ### Mobile Hacking
 | Name 	| Description 	    | Written in    | Created by   |
 |------	|-------------    	| ------------  |------------- |
@@ -99,7 +99,10 @@ Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
 |------	|-------------    	| ------------  |------------- |
 |[Reconness](https://github.com/reconness/reconness)|"ReconNess helps you to run and keep all your #recon in the same place allowing you to focus only on the potentially vulnerable targets without distraction and without required a lot of bash skill or programing skill in general."|C#|[Reconness](https://github.com/reconness)|
 |[Updog](https://github.com/sc0tfree/updog)|"Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use HTTP basic auth."|Python|[sc0tfree](https://github.com/sc0tfree)|
-
+|[Notion](notion.so)|"Write, plan, collaborate, and get organized — all in one tool."||Notion Labs|
+|[Joplin](https://joplinapp.org/)|"Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. The notes are searchable, can be copied, tagged and modified either from the applications directly or from your own text editor. The notes are in Markdown format."|JavaScript|Laurent Cozic|
+|[Xmind](https://www.xmind.net/)|XMind, a full-featured mind mapping and brainstorming tool, designed to generate ideas, inspire creativity, brings productivity in a remote WFH team.|/|XMind Ltd.|
+|[Axiom](https://github.com/pry0cc/axiom)|Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty and pentesting.|Bash|[@pry0cc](https://twitter.com/pry0cc)|
 
 ### Others
 | Name 	| Description 	    | Written in    | Created by   |
@@ -107,6 +110,9 @@ Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
 |[SecLists](https://github.com/danielmiessler/SecLists)|A huge collection of word lists for hacking.||Daniel Miessler|
 |[Recon Pi](https://github.com/x1mdev/ReconPi)|A lightweight recon tool that performs extensive reconnaissance with the latest tools using a Raspberry Pi.||[@x1m_martijn](https://twitter.com/x1m_martijn)|
 |[CyberChef](https://gchq.github.io/CyberChef/)|Awesome Tool for de-/encoding stuff. Try it out!|JavaScript|[gchq](https://github.com/gchq)|
+|[webhook.site](https://webhook.site)|Webhook.site allows you to easily test, inspect, forward and create Custom Actions for any incoming HTTP request or e-mail.||[fredsted](https://github.com/fredsted)|
+|[requestcatcher](https://requestcatcher.com/)|Request Catcher will create a subdomain on which you can test an application. All requests sent to any path on the subdomain are forwarded to your browser in real time.|||
+|[canarytokens](https://canarytokens.org/)|[Description](https://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html)||[Thinkst Canary](canary.tools)|
 
 ---
 back to [Intro Page](/README.md)