Merge pull request #12 from AshF0x/master

Update 2020.02

README.md

@@ -6,7 +6,9 @@ There are a number of new hackers joining the community on a regular basis and m
 
 We understand that there are more resources other than the ones we have listed and we hope to cover more resources in the near future!<br>
 
-[Changelog: See what's new!](/assets/changelog.md)
+## Current Version: 2020.02 
+
+[Changelog: See what's new!](/assets/changelog.md) 📣
 
 ---
 ## Table of Contents

assets/blogposts.md

@@ -1,6 +1,6 @@
 # Resources-for-Beginner-Bug-Bounty-Hunters
 
-## Blog posts
+## Blog posts 📝
 A collection of Blog Posts ordered by Vulnerability Types
 - [XSS](#XSS)
     - [DOM XSS](#DOM-XSS)
@@ -19,7 +19,10 @@ A collection of Blog Posts ordered by Vulnerability Types
 - [Buffer Overflow](#Buffer-Overflow)
 - [IDOR](#IDOR)
 - [GraphQL](#GraphQL)
+- [RCE](#RCE)
+- [Recon](#Recon)
 - [Misc](#Misc)
+---
 ## XSS
 You can find a ton of awesome XSS reports by searching through the HackerOne Hacktivity Page (https://hackerone.com/hacktivity?querystring=XSS). Here are some more complex and some of my favorite XSS related blog posts:
 
@@ -92,18 +95,26 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
 - [Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method](https://www.indoappsec.in/2019/12/airbnb-steal-earning-of-airbnb-hosts-by.html) - [Vijay Kumar ](https://twitter.com/IndoAppSec)
 - [GraphQL IDOR leads to information disclosure](https://medium.com/@R0X4R/graphql-idor-leads-to-information-disclosure-175eb560170d) - [@R0X4R](https://twitter.com/R0X4R)
 - [From Multiple IDORs leading to Code Execution on a different Host Container](https://www.rahulr.in/2019/10/idor-to-rce.html?m=1) - [@Rahul_R95](https://twitter.com/Rahul_R95)
+- [Automating BURP to find IDORs](https://medium.com/cyberverse/automating-burp-to-find-idors-2b3dbe9fa0b8) - [Aditya Soni](https://medium.com/@hetroublemakr)
 
 ## GraphQL
 - [Private System Note Disclosure using GraphQL](https://hackerone.com/reports/633001) - Ron Chan
 - [Graphql Abuse to Steal Anyone’s Address](https://blog.usejournal.com/graphql-bug-to-steal-anyones-address-fc34f0374417) - pratik yadav
 
-## Misc
+## RCE
+- [My First RCE (Stressed Employee gets me 2x bounty)](https://medium.com/@abhishake100/my-first-rce-stressed-employee-gets-me-2x-bounty-c4879c277e37) - [Abhishek Yadav](https://medium.com/@abhishake100)
+
+## Recon
+- [Subdomain Recon Using Certificate Search Technique](https://www.r00tpgp.com/2020/01/subdomain-recon-using-certificate.html?m=0)
 - [Notes about Nahamsecs Recon Sessions](https://mavericknerd.github.io/knowledgebase/nahamsec/recon_session_1/) - [maverickNerd](https://github.com/maverickNerd)
+
+## Misc
 - [Hacking GitHub with Unicode's dotless 'i'](https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/)
 - [Abusing autoresponders and email bounces](https://medium.com/intigriti/abusing-autoresponders-and-email-bounces-9b1995eb53c2) - securinti
 - [Abusing HTTP hop-by-hop request headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers) - [@nj_dav](https://twitter.com/nj_dav)
 - [Cracking reCAPTCHA, Turbo Intruder style](https://portswigger.net/research/cracking-recaptcha-turbo-intruder-style) - James Kettle
 - [Abusing ImageMagick to obtain RCE](https://strynx.org/imagemagick-rce/) - [strynx](https://strynx.org/)
+- [How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN](https://blog.detectify.com/2019/09/19/alyssa-herrera-pulse-corporate-networks-ssl-vpn/) - [Alyssa Herrera](https://twitter.com/Alyssa_Herrera_)
 
 ---
 back to [Intro Page](/README.md)

assets/changelog.md

@@ -1,9 +1,32 @@
 # Resources-for-Beginner-Bug-Bounty-Hunters
 
-## Changelog
+## Changelog 📬
 
 Updates to this repo will be pushed monthly. You can read about the latest changes below.
 
+---
+
+## Update 2020.02
+### Added
+- New XSS Lab: **XSS Labs from PwnFunction**
+- New Recon & OSINT Tool: **Reconness**
+- New [IDOR Blogspost](/assets/blogposts.md#IDOR): **Automating BURP to find IDORs**
+- New [Misc Blogpost](/assets/blogposts.md#Misc): **How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN**
+- New Blogspost Category: [RCE](/assets/blogposts.md#RCE)
+    - New RCE Blogpost: **My First RCE (Stressed Employee gets me 2x bounty)**
+- New Blogpost Cetegory: [Recon](/assets/blogposts.md#Recon)
+    - New Recon Blogpost/Guide: **Subdomain Recon Using Certificate Search Technique**
+- New Vulnerabilities Post: **The 7 main XSS cases everyone should know**
+- Added Jason Haddix to [Media](/assets/media.md) (contributed by [securibee](https://github.com/securibee))
+
+## Changed
+- Moved **Notes about Nahamsecs Recon Sessions** from [Misc](/assets/blogposts.md#Misc) to [Recon](/assets/blogposts.md#Recon)
+
+### Fixed
+- Typos in [Media](/assets/media.md) (contributed by [securibee](https://github.com/securibee))
+
+---
+
 ## Update 2020.01
 ### Added
 - New changelog page

assets/labs.md

@@ -1,6 +1,6 @@
 # Resources-for-Beginner-Bug-Bounty-Hunters
 
-## Labs & Testing Environments
+## Labs & Testing Environments 🧪
 
 ## General
 - [Hacker101](https://www.hacker101.com/) | Good Exercises for Beginners, can earn you private Invites on HackerOne
@@ -11,6 +11,7 @@
 - [DWVA](http://www.dvwa.co.uk)
 - [Google Gruyere](https://google-gruyere.appspot.com/)
 - [Web Security Academy by PortSwigger](https://portswigger.net/web-security)
+- [XSS Labs from PwnFunction](https://xss.pwnfunction.com/) Great Labs in a beautiful layout
 
 ---
 back to [Intro Page](/README.md)

assets/media.md

@@ -1,9 +1,9 @@
 # Resources-for-Beginner-Bug-Bounty-Hunters
 
-## Media Resources
+## Media Resources 🎬
 Here you find listings to useful media creations that can help beginners in different ways.
 
-- [YoutTube Channels](#Youtube-Channels)
+- [YouTube Channels](#Youtube-Channels)
 - [Streamers](#Streamers)
 - [Podcasts](#Podcasts)
 - [Books](#Books)
@@ -19,12 +19,14 @@ Here you find listings to useful media creations that can help beginners in diff
 - [InsiderPhD](https://www.youtube.com/channel/UCPiN9NPjIer8Do9gUFxKv7A) - An excellent Introduction series for beginners to help them find their first bug.
 - [PwnFunction](https://www.youtube.com/PwnFunction) explanatory videos about Web App vulnerabilities
 - [DEFCONConference](https://www.youtube.com/user/DEFCONConference/videos) - Tons of Talks from Defcon.
+- [Jason Haddix](https://www.youtube.com/channel/UCk0f0svao7AKeK3RfiWxXEA) - VODs of his Stream
 
 ## Streamers
 - [Nahamsec](https://www.twitch.com/nahamsec) on Twitch
 - [d0nutptr](https://www.twitch.tv/d0nutptr/) on Twitch
-- [The Cyber Mentor](https://twitch.tv/theblindhackercybermentor) on Twitch
+- [The Cyber Mentor](https://twitch.tv/thecybermentor) on Twitch
 - [The Blind Hacker](https://twitch.tv/theblindhacker) on Twitch
+- [Jason Haddix](https://www.twitch.tv/js0n_x/) on Twitch
 
 
 ## Podcasts

assets/mobile.md

@@ -1,6 +1,6 @@
 # Resources-for-Beginner-Bug-Bounty-Hunters
 
-## Mobile Hacking
+## Mobile Hacking 📱
 Since there are quite a lot of people asking for Beginner Guides to Mobile Hacking specificaly we gave it a section on itself.
 
 ## Getting Started

assets/setup.md

@@ -1,6 +1,6 @@
 # Resources-for-Beginner-Bug-Bounty-Hunters
 
-## Setup
+## Setup 💻
 This section will help you set up your testing environement.
 - [Setting Up Your Ubuntu Box for Pentest and Bug Bounty Automation](https://www.youtube.com/watch?v=YhUiAH5SIqk) by nahamsec
 - [Setting up your own web server on a VPS](https://www.linux.com/learn/easy-lamp-server-installation)

assets/tools.md

@@ -1,6 +1,6 @@
 # Resources-for-Beginner-Bug-Bounty-Hunters
 
-## Tools
+## Tools 🧰
 
 Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
 
@@ -33,6 +33,7 @@ Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
 |[httprobe](https://github.com/tomnomnom/httprobe)|Take a list of domains and probe for working http and https servers.|Go|[Tom Hudson](https://github.com/tomnomnom)|
 |[Osmedeus](https://github.com/j3ssie/Osmedeus)|Fully automated offensive security framework for reconnaissance and vulnerability scanning|Python|[j3ssie](https://github.com/j3ssie)|
 |[hakrawler](https://github.com/hakluke/hakrawler)|hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application. It can be used to discover Forms, Endpoints, Subdomains, Related documents and JS Files|Go|[@hakluke](https://twitter.com/hakluke)|
+|[Reconness](https://github.com/reconness)|A Web App Tool to Run and Keep all your #recon in the same place.|C#|[@reconness](https://twitter.com/reconness)|
 
 #### OSINT Webpages
 | Name 	| Description 	    | Created by   |

assets/vulns.md

@@ -1,6 +1,6 @@
 # Resources-for-Beginner-Bug-Bounty-Hunters
 
-## Vulnerabilities
+## Vulnerabilities 💉
 Compact descriptions of common vulnerability types with links to useful resources. 
 ### Online Resources
 - [Owasp Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)
@@ -16,6 +16,7 @@ As we start to build this repository, we'll be adding more vulnerability types a
 - [Google Application Security (XSS Guide)](https://www.google.com/intl/am_AD/about/appsecurity/learning/xss/)
 - [What is PHP and why is XSS so common there?](https://www.youtube.com/watch?v=Q2mGcbkX550) - by LiveOverflow
 - [Finding Your First Bug: Cross Site Scripting (XSS)](https://www.youtube.com/watch?v=IWbmP0Z-yQg) - by InsiderPhD
+- [The 7 main XSS cases everyone should know](https://brutelogic.com.br/blog/the-7-main-xss-cases-everyone-should-know/) - [brutelogic](https://brutelogic.com.br/blog/about/)
 
 ## Cross-Site Request Forgery (CSRF)
 - [Cross-Site Request Forgery Attack](https://www.youtube.com/watch?v=eWEgUcHPle0) - by PwnFunction