Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 2 pages modified

Browse source
This commit is contained in:
CPol 2020-08-25 08:42:39 +00:00 committed by gitbook-bot
parent a7f381dadf
commit 8da46eec34
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
bug-bounties-methodology.md
View file

@ -303,6 +303,19 @@ Now that we have built the list of assets of our scope it's time to search for s
**Dorks**: _AWS\_SECRET\_ACCESS\_KEY, API KEY, API SECRET, API TOKEN… ROOT PASSWORD, ADMIN PASSWORD, COMPANYNAME SECRET, COMPANYNAME ROOT, GCP SECRET, AWS SECRET, “username password” extension:sql, “private” extension:pgp..._
#### More Github Dorks
* extension:pem private
* extension:ppk private
* extension:sql mysql dump password
* extension:json api.forecast.io
* extension:json mongolab.com
* extension:yaml mongolab.com
* extension:ica \[WFClient\] Password=
* extension:avastlic “support.avast.com”
* extension:js jsforce conn.login
* extension:json googleusercontent client\_secret
## [**Pentesting Web Methodology**](pentesting/pentesting-web/)\*\*\*\*
Anyway, the **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](pentesting/pentesting-web/).

4
pentesting-web/rate-limit-bypass.md
View file

@ -13,6 +13,10 @@ X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwared-Host: 127.0.0.1
#or use double X-Forwared-For header
X-Forwarded-For: