see changelog

This commit is contained in:
AshF0x 2020-01-15 16:12:27 +01:00
parent f5a8b7307b
commit e8ba9c566d
5 changed files with 19 additions and 0 deletions

View file

@ -19,6 +19,7 @@ A collection of Blog Posts ordered by Vulnerability Types
- [Buffer Overflow](#Buffer-Overflow)
- [IDOR](#IDOR)
- [GraphQL](#GraphQL)
- [RCE](#RCE)
- [Misc](#Misc)
---
## XSS
@ -93,11 +94,15 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
- [Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method](https://www.indoappsec.in/2019/12/airbnb-steal-earning-of-airbnb-hosts-by.html) - [Vijay Kumar ](https://twitter.com/IndoAppSec)
- [GraphQL IDOR leads to information disclosure](https://medium.com/@R0X4R/graphql-idor-leads-to-information-disclosure-175eb560170d) - [@R0X4R](https://twitter.com/R0X4R)
- [From Multiple IDORs leading to Code Execution on a different Host Container](https://www.rahulr.in/2019/10/idor-to-rce.html?m=1) - [@Rahul_R95](https://twitter.com/Rahul_R95)
- [Automating BURP to find IDORs](https://medium.com/cyberverse/automating-burp-to-find-idors-2b3dbe9fa0b8) - [Aditya Soni](https://medium.com/@hetroublemakr)
## GraphQL
- [Private System Note Disclosure using GraphQL](https://hackerone.com/reports/633001) - Ron Chan
- [Graphql Abuse to Steal Anyones Address](https://blog.usejournal.com/graphql-bug-to-steal-anyones-address-fc34f0374417) - pratik yadav
## RCE
- [My First RCE (Stressed Employee gets me 2x bounty)](https://medium.com/@abhishake100/my-first-rce-stressed-employee-gets-me-2x-bounty-c4879c277e37) - [Abhishek Yadav](https://medium.com/@abhishake100)
## Misc
- [Notes about Nahamsecs Recon Sessions](https://mavericknerd.github.io/knowledgebase/nahamsec/recon_session_1/) - [maverickNerd](https://github.com/maverickNerd)
- [Hacking GitHub with Unicode's dotless 'i'](https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/)
@ -105,6 +110,7 @@ You can find a ton of awesome XSS reports by searching through the HackerOne Hac
- [Abusing HTTP hop-by-hop request headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers) - [@nj_dav](https://twitter.com/nj_dav)
- [Cracking reCAPTCHA, Turbo Intruder style](https://portswigger.net/research/cracking-recaptcha-turbo-intruder-style) - James Kettle
- [Abusing ImageMagick to obtain RCE](https://strynx.org/imagemagick-rce/) - [strynx](https://strynx.org/)
- [How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN](https://blog.detectify.com/2019/09/19/alyssa-herrera-pulse-corporate-networks-ssl-vpn/) - [Alyssa Herrera](https://twitter.com/Alyssa_Herrera_)
---
back to [Intro Page](/README.md)

View file

@ -4,6 +4,16 @@
Updates to this repo will be pushed monthly. You can read about the latest changes below.
## Update 2020.02
### Added
- New XSS Lab: **XSS Labs from PwnFunction**
- New Recon & OSINT Tool: **Reconness**
- New [IDOR Blogspost](/assets/blogposts.md#IDOR): **Automating BURP to find IDORs**
- New [Misc Blogpost](/assets/blogposts.md#Misc): **How to Get a Finger on the Pulse of Corporate Networks via the SSL VPN**
- New Blogspost Category: [RCE](/assets/blogposts.md#RCE)
- New RCE Blogpost :**My First RCE (Stressed Employee gets me 2x bounty)**
- New Vulnerabilities Post: **The 7 main XSS cases everyone should know**
## Update 2020.01
### Added
- New changelog page

View file

@ -11,6 +11,7 @@
- [DWVA](http://www.dvwa.co.uk)
- [Google Gruyere](https://google-gruyere.appspot.com/)
- [Web Security Academy by PortSwigger](https://portswigger.net/web-security)
- [XSS Labs from PwnFunction](https://xss.pwnfunction.com/) Great Labs in a beautiful layout
---
back to [Intro Page](/README.md)

View file

@ -33,6 +33,7 @@ Here you can find links to a bunch of useful tools for Bug Bounty Hunting.
|[httprobe](https://github.com/tomnomnom/httprobe)|Take a list of domains and probe for working http and https servers.|Go|[Tom Hudson](https://github.com/tomnomnom)|
|[Osmedeus](https://github.com/j3ssie/Osmedeus)|Fully automated offensive security framework for reconnaissance and vulnerability scanning|Python|[j3ssie](https://github.com/j3ssie)|
|[hakrawler](https://github.com/hakluke/hakrawler)|hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application. It can be used to discover Forms, Endpoints, Subdomains, Related documents and JS Files|Go|[@hakluke](https://twitter.com/hakluke)|
|[Reconness](https://github.com/reconness)|A Web App Tool to Run and Keep all your #recon in the same place.|C#|[@reconness](https://twitter.com/reconness)|
#### OSINT Webpages
| Name | Description | Created by |

View file

@ -16,6 +16,7 @@ As we start to build this repository, we'll be adding more vulnerability types a
- [Google Application Security (XSS Guide)](https://www.google.com/intl/am_AD/about/appsecurity/learning/xss/)
- [What is PHP and why is XSS so common there?](https://www.youtube.com/watch?v=Q2mGcbkX550) - by LiveOverflow
- [Finding Your First Bug: Cross Site Scripting (XSS)](https://www.youtube.com/watch?v=IWbmP0Z-yQg) - by InsiderPhD
- [The 7 main XSS cases everyone should know](https://brutelogic.com.br/blog/the-7-main-xss-cases-everyone-should-know/) - [brutelogic](https://brutelogic.com.br/blog/about/)
## Cross-Site Request Forgery (CSRF)
- [Cross-Site Request Forgery Attack](https://www.youtube.com/watch?v=eWEgUcHPle0) - by PwnFunction