diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
index 62e238642..ef5ad9ce6 100644
--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -114,7 +114,7 @@ You can use the linux command line tool **pdftotext** to transform a pdf into te
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/generic-methodologies-and-resources/exfiltration.md b/generic-methodologies-and-resources/exfiltration.md
index e1f2fd31a..9051fe136 100644
--- a/generic-methodologies-and-resources/exfiltration.md
+++ b/generic-methodologies-and-resources/exfiltration.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -386,7 +386,7 @@ Then copy-paste the text into the windows-shell and a file called nc.exe will be
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md b/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md
index 37f7de065..7f80ae2d4 100644
--- a/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md
+++ b/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -38,7 +38,7 @@ When you look for leaks in a repo and run something like `git log -p` don't forg
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md b/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
index 53ee132b9..442eed46f 100644
--- a/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
+++ b/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -1127,7 +1127,7 @@ will be bypassed
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/generic-methodologies-and-resources/shells/linux.md b/generic-methodologies-and-resources/shells/linux.md
index 7f38e3c8f..03caeb114 100644
--- a/generic-methodologies-and-resources/shells/linux.md
+++ b/generic-methodologies-and-resources/shells/linux.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -400,7 +400,7 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/generic-methodologies-and-resources/shells/windows.md b/generic-methodologies-and-resources/shells/windows.md
index ae9be4d66..aa2297346 100644
--- a/generic-methodologies-and-resources/shells/windows.md
+++ b/generic-methodologies-and-resources/shells/windows.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -572,7 +572,7 @@ WinPWN](https://github.com/SecureThisShit/WinPwn) PS console with some offensive
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/generic-methodologies-and-resources/tunneling-and-port-forwarding.md b/generic-methodologies-and-resources/tunneling-and-port-forwarding.md
index 5837ef273..f92548b30 100644
--- a/generic-methodologies-and-resources/tunneling-and-port-forwarding.md
+++ b/generic-methodologies-and-resources/tunneling-and-port-forwarding.md
@@ -14,7 +14,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -621,7 +621,7 @@ tunnels:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/linux-hardening/linux-environment-variables.md b/linux-hardening/linux-environment-variables.md
index ed3c56319..df5f54685 100644
--- a/linux-hardening/linux-environment-variables.md
+++ b/linux-hardening/linux-environment-variables.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -143,7 +143,7 @@ One background job, one stopped and last command didn't finish correctly:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/mobile-pentesting/android-app-pentesting/README.md b/mobile-pentesting/android-app-pentesting/README.md
index 2482b40a9..71df6148a 100644
--- a/mobile-pentesting/android-app-pentesting/README.md
+++ b/mobile-pentesting/android-app-pentesting/README.md
@@ -482,6 +482,7 @@ If you want to pentest Android applications you need to know how to use Frida.
* Some "GUI" for actions with Frida: [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
* Ojection is great to automate the use of Frida: [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)
* You can find some Awesome Frida scripts here: [**https://codeshare.frida.re/**](https://codeshare.frida.re)
+* Try to bypass anti-debugging / anti-frida mechanisms loading Frida as in indicated in [https://erfur.github.io/blog/dev/code-injection-without-ptrace](https://erfur.github.io/blog/dev/code-injection-without-ptrace) (tool [linjector](https://github.com/erfur/linjector-rs))
### **Dump Memory - Fridump**
diff --git a/mobile-pentesting/android-app-pentesting/android-applications-basics.md b/mobile-pentesting/android-app-pentesting/android-applications-basics.md
index 2f61a205a..18e98dc72 100644
--- a/mobile-pentesting/android-app-pentesting/android-applications-basics.md
+++ b/mobile-pentesting/android-app-pentesting/android-applications-basics.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -417,7 +417,7 @@ if (dpm.isAdminActive(adminComponent)) {
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/mobile-pentesting/android-app-pentesting/android-task-hijacking.md b/mobile-pentesting/android-app-pentesting/android-task-hijacking.md
index 2bf5e7e91..6e807fe8d 100644
--- a/mobile-pentesting/android-app-pentesting/android-task-hijacking.md
+++ b/mobile-pentesting/android-app-pentesting/android-task-hijacking.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -66,7 +66,7 @@ To prevent such attacks, developers can set `taskAffinity` to an empty string an
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md b/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md
index 0d25587fd..5e4820e8b 100644
--- a/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md
+++ b/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -71,7 +71,7 @@ Finally, you need just to **sign the new application**. [Read this section of th
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/mobile-pentesting/android-checklist.md b/mobile-pentesting/android-checklist.md
index 8c89c8517..791130ff5 100644
--- a/mobile-pentesting/android-checklist.md
+++ b/mobile-pentesting/android-checklist.md
@@ -14,7 +14,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -77,7 +77,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/mobile-pentesting/ios-pentesting-checklist.md b/mobile-pentesting/ios-pentesting-checklist.md
index b6413bd9b..b22199582 100644
--- a/mobile-pentesting/ios-pentesting-checklist.md
+++ b/mobile-pentesting/ios-pentesting-checklist.md
@@ -24,7 +24,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -120,7 +120,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/43-pentesting-whois.md b/network-services-pentesting/43-pentesting-whois.md
index ebf909d07..82582673b 100644
--- a/network-services-pentesting/43-pentesting-whois.md
+++ b/network-services-pentesting/43-pentesting-whois.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -54,7 +54,7 @@ Also, the WHOIS service always needs to use a **database** to store and extract
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/49-pentesting-tacacs+.md b/network-services-pentesting/49-pentesting-tacacs+.md
index 14cf1939d..b6f274c9d 100644
--- a/network-services-pentesting/49-pentesting-tacacs+.md
+++ b/network-services-pentesting/49-pentesting-tacacs+.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -62,7 +62,7 @@ By gaining access to the control panel of network equipment using the obtained c
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/7-tcp-udp-pentesting-echo.md b/network-services-pentesting/7-tcp-udp-pentesting-echo.md
index 01a29b2ac..d9925968e 100644
--- a/network-services-pentesting/7-tcp-udp-pentesting-echo.md
+++ b/network-services-pentesting/7-tcp-udp-pentesting-echo.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -58,7 +58,7 @@ Hello echo #This is the response
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/ipsec-ike-vpn-pentesting.md b/network-services-pentesting/ipsec-ike-vpn-pentesting.md
index d30114796..be22f326f 100644
--- a/network-services-pentesting/ipsec-ike-vpn-pentesting.md
+++ b/network-services-pentesting/ipsec-ike-vpn-pentesting.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -292,7 +292,7 @@ Ensure that actual, secure values are used to replace the placeholders when conf
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/pentesting-ftp/README.md b/network-services-pentesting/pentesting-ftp/README.md
index 3988e4f61..7436db2e4 100644
--- a/network-services-pentesting/pentesting-ftp/README.md
+++ b/network-services-pentesting/pentesting-ftp/README.md
@@ -14,7 +14,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -247,7 +247,7 @@ The default configuration of vsFTPd can be found in `/etc/vsftpd.conf`. In here,
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/pentesting-ftp/ftp-bounce-attack.md b/network-services-pentesting/pentesting-ftp/ftp-bounce-attack.md
index 6546669a4..3746b725c 100644
--- a/network-services-pentesting/pentesting-ftp/ftp-bounce-attack.md
+++ b/network-services-pentesting/pentesting-ftp/ftp-bounce-attack.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -56,7 +56,7 @@ nmap -v -p 21,22,445,80,443 -b ftp:ftp@10.2.1.5 192.168.0.1/24 #Scan the interna
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/pentesting-imap.md b/network-services-pentesting/pentesting-imap.md
index 046f98930..3dc0ab0bc 100644
--- a/network-services-pentesting/pentesting-imap.md
+++ b/network-services-pentesting/pentesting-imap.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -182,7 +182,7 @@ done
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
index 1e94c03f0..4c69adca8 100644
--- a/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
+++ b/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -541,7 +541,7 @@ You probably will be able to **escalate to Administrator** following one of thes
* [https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/pentesting-pop.md b/network-services-pentesting/pentesting-pop.md
index 64da393df..c8af53f60 100644
--- a/network-services-pentesting/pentesting-pop.md
+++ b/network-services-pentesting/pentesting-pop.md
@@ -14,7 +14,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -113,7 +113,7 @@ From [https://academy.hackthebox.com/module/112/section/1073](https://academy.ha
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md b/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
index 3769332bd..5397c0042 100644
--- a/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
+++ b/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
@@ -14,7 +14,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -105,7 +105,7 @@ To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ work
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/pentesting-web/graphql.md b/network-services-pentesting/pentesting-web/graphql.md
index a5f14f057..f7711d762 100644
--- a/network-services-pentesting/pentesting-web/graphql.md
+++ b/network-services-pentesting/pentesting-web/graphql.md
@@ -9,7 +9,7 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
@@ -26,14 +26,14 @@ With the advent of new technologies, including GraphQL, new security vulnerabili
To identify exposed GraphQL instances, the inclusion of specific paths in directory brute force attacks is recommended. These paths are:
-- `/graphql`
-- `/graphiql`
-- `/graphql.php`
-- `/graphql/console`
-- `/api`
-- `/api/graphql`
-- `/graphql/api`
-- `/graphql/graphql`
+* `/graphql`
+* `/graphiql`
+* `/graphql.php`
+* `/graphql/console`
+* `/api`
+* `/api/graphql`
+* `/graphql/api`
+* `/graphql/graphql`
Identifying open GraphQL instances allows for the examination of supported queries. This is crucial for understanding the data accessible through the endpoint. GraphQL's introspection system facilitates this by detailing the queries a schema supports. For more information on this, refer to the GraphQL documentation on introspection: [**GraphQL: A query language for APIs.**](https://graphql.org/learn/introspection/)
@@ -375,6 +375,10 @@ mutation {
}
```
+### Directive Overloading
+
+As explained in [**one of the vulns described in this report**](https://www.landh.tech/blog/20240304-google-hack-50000/), a directive overloading implies to call of a directive even millions of times to make the server waste operations until it's possible to DoS it.
+
### Batching brute-force in 1 API request
This information was take from [https://lab.wallarm.com/graphql-batching-attack/](https://lab.wallarm.com/graphql-batching-attack/).\
@@ -543,7 +547,7 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md
index c741041e2..801248888 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -76,7 +76,7 @@ $file = file_get_contents($url, false, $context);
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/pentesting-web/tomcat.md b/network-services-pentesting/pentesting-web/tomcat.md
index 794ea0235..837250b0e 100644
--- a/network-services-pentesting/pentesting-web/tomcat.md
+++ b/network-services-pentesting/pentesting-web/tomcat.md
@@ -14,7 +14,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -268,7 +268,7 @@ msf> use post/windows/gather/enum_tomcat
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md b/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md
index a17b660f7..74a5e56fd 100644
--- a/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md
+++ b/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md
@@ -14,7 +14,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -159,7 +159,7 @@ The file shows us what each of the roles `manager-gui`, `manager-script`, `manag
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/pentesting-web/bypass-payment-process.md b/pentesting-web/bypass-payment-process.md
index cc114b36a..056d08ac4 100644
--- a/pentesting-web/bypass-payment-process.md
+++ b/pentesting-web/bypass-payment-process.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -54,7 +54,7 @@ If you encounter a parameter that contains a URL, especially one following the p
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/pentesting-web/content-security-policy-csp-bypass/README.md b/pentesting-web/content-security-policy-csp-bypass/README.md
index 4deb79cb5..5312a2844 100644
--- a/pentesting-web/content-security-policy-csp-bypass/README.md
+++ b/pentesting-web/content-security-policy-csp-bypass/README.md
@@ -215,6 +215,10 @@ Moreover, even if you could upload a **JS code inside** a file using an extensio
From here, if you find a XSS and a file upload, and you manage to find a **misinterpreted extension**, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot ([some polyglot examples here](https://github.com/Polydet/polyglot-database)).
+### Form-action
+
+If not possible to inject JS, you could still try to exfiltrate for example credentials **injecting a form action** (and maybe expecting password managers to auto-fill passwords). You can find an [**example in this report**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp). Also, notice that `default-src` does not cover form actions.
+
### Third Party Endpoints + ('unsafe-eval')
{% hint style="warning" %}
@@ -318,6 +322,18 @@ More [**payloads from this writeup**](https://joaxcar.com/blog/2024/02/19/csp-by
b.nonce=a.nonce; doc.body.appendChild(b)'>
```
+#### Abusing www.google.com for open redirect
+
+The following URL redirects to example.com (from [here](https://www.landh.tech/blog/20240304-google-hack-50000/)):
+
+```
+https://www.google.com/amp/s/example.com/
+```
+
+Abusing \*.google.com/script.google.com
+
+It's possible to abuse Google Apps Script to receive information in a page inside script.google.com. Like it's [done in this report](https://embracethered.com/blog/posts/2023/google-bard-data-exfiltration/).
+
### Third Party Endpoints + JSONP
```http
diff --git a/pentesting-web/cors-bypass.md b/pentesting-web/cors-bypass.md
index b7da45379..8951d5c1e 100644
--- a/pentesting-web/cors-bypass.md
+++ b/pentesting-web/cors-bypass.md
@@ -379,6 +379,7 @@ You can find more information about the previous bypass techniques and how to us
**Fuzz possible misconfigurations in CORS policies**
+* [https://portswigger.net/bappstore/420a28400bad4c9d85052f8d66d3bbd8](https://portswigger.net/bappstore/420a28400bad4c9d85052f8d66d3bbd8)
* [https://github.com/chenjj/CORScanner](https://github.com/chenjj/CORScanner)
* [https://github.com/lc/theftfuzzer](https://github.com/lc/theftfuzzer)
* [https://github.com/s0md3v/Corsy](https://github.com/s0md3v/Corsy)
diff --git a/pentesting-web/dangling-markup-html-scriptless-injection/README.md b/pentesting-web/dangling-markup-html-scriptless-injection/README.md
index 9481c0842..66c314e9b 100644
--- a/pentesting-web/dangling-markup-html-scriptless-injection/README.md
+++ b/pentesting-web/dangling-markup-html-scriptless-injection/README.md
@@ -9,7 +9,7 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
@@ -79,6 +79,8 @@ The button can change the URL where the information of the form is going to be s
An attacker can use this to steal the information.
+Find an [**example of this attack in this writeup**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp).
+
### Stealing clear text secrets 2
Using the latest mentioned technique to steal forms (injecting a new form header) you can then inject a new input field:
@@ -289,7 +291,7 @@ Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-web/formula-csv-doc-latex-ghostscript-injection.md b/pentesting-web/formula-csv-doc-latex-ghostscript-injection.md
index 2d39770d8..a910c3341 100644
--- a/pentesting-web/formula-csv-doc-latex-ghostscript-injection.md
+++ b/pentesting-web/formula-csv-doc-latex-ghostscript-injection.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -219,7 +219,7 @@ From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/pentesting-web/h2c-smuggling.md b/pentesting-web/h2c-smuggling.md
index 4d2d70c0f..7421fc087 100644
--- a/pentesting-web/h2c-smuggling.md
+++ b/pentesting-web/h2c-smuggling.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -115,7 +115,7 @@ Check the labs to test both scenarios in [https://github.com/0ang3el/websocket-s
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/pentesting-web/hacking-with-cookies/README.md b/pentesting-web/hacking-with-cookies/README.md
index a3e114ffa..78146af9c 100644
--- a/pentesting-web/hacking-with-cookies/README.md
+++ b/pentesting-web/hacking-with-cookies/README.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -283,7 +283,7 @@ There should be a pattern (with the size of a used block). So, knowing how are a
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
index 7ee4f2f97..0ac4a1316 100644
--- a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
+++ b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -590,7 +590,7 @@ Rancher's metadata can be accessed using:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md b/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md
index 9b9cb3719..8cde1c3c7 100644
--- a/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md
+++ b/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -227,7 +227,7 @@ image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/pentesting-web/xs-search/css-injection/README.md b/pentesting-web/xs-search/css-injection/README.md
index faef680b0..cc95934b7 100644
--- a/pentesting-web/xs-search/css-injection/README.md
+++ b/pentesting-web/xs-search/css-injection/README.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -491,7 +491,7 @@ So, if the font does not match, the response time when visiting the bot is expec
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md b/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md
index 3a4288099..d8555e35f 100644
--- a/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md
+++ b/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md
@@ -16,7 +16,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -125,7 +125,7 @@ For an example of this check the reference link.
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/reversing/common-api-used-in-malware.md b/reversing/common-api-used-in-malware.md
index 8d15b52ed..d55280618 100644
--- a/reversing/common-api-used-in-malware.md
+++ b/reversing/common-api-used-in-malware.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -158,7 +158,7 @@ The malware will unmap the legitimate code from memory of the process and load a
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/reversing/reversing-tools-basic-methods/README.md b/reversing/reversing-tools-basic-methods/README.md
index c28da46ca..3fc30fe42 100644
--- a/reversing/reversing-tools-basic-methods/README.md
+++ b/reversing/reversing-tools-basic-methods/README.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -427,7 +427,7 @@ So, in this challenge, knowing the values of the buttons, you needed to **press
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/stego/stego-tricks.md b/stego/stego-tricks.md
index 8dc6bb69b..f7fe3b2b8 100644
--- a/stego/stego-tricks.md
+++ b/stego/stego-tricks.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -239,7 +239,7 @@ For translating Braille, the [Branah Braille Translator](https://www.branah.com/
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/todo/radio-hacking/flipper-zero/README.md b/todo/radio-hacking/flipper-zero/README.md
index 723f7d985..40384ae9f 100644
--- a/todo/radio-hacking/flipper-zero/README.md
+++ b/todo/radio-hacking/flipper-zero/README.md
@@ -14,7 +14,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -35,7 +35,7 @@ With [**Flipper Zero**](https://flipperzero.one/) you can:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/todo/radio-hacking/flipper-zero/fz-sub-ghz.md b/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
index 3c38c4c30..5fc668863 100644
--- a/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
+++ b/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -129,7 +129,7 @@ Get dBms of the saved frequencies
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/todo/radio-hacking/proxmark-3.md b/todo/radio-hacking/proxmark-3.md
index d1f041114..4f1a34a17 100644
--- a/todo/radio-hacking/proxmark-3.md
+++ b/todo/radio-hacking/proxmark-3.md
@@ -14,7 +14,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -81,7 +81,7 @@ You can create a script to **fuzz tag readers**, so copying the data of a **vali
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/windows-hardening/checklist-windows-privilege-escalation.md b/windows-hardening/checklist-windows-privilege-escalation.md
index 5c82ebb32..b04e6a603 100644
--- a/windows-hardening/checklist-windows-privilege-escalation.md
+++ b/windows-hardening/checklist-windows-privilege-escalation.md
@@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -133,7 +133,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
diff --git a/windows-hardening/lateral-movement/dcom-exec.md b/windows-hardening/lateral-movement/dcom-exec.md
index b5ec59fea..adc4c96b4 100644
--- a/windows-hardening/lateral-movement/dcom-exec.md
+++ b/windows-hardening/lateral-movement/dcom-exec.md
@@ -14,7 +14,7 @@
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
@@ -136,7 +136,7 @@ SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe
**Try Hard Security Group**
-
+
{% embed url="https://discord.gg/tryhardsecurity" %}
