Pentesters & Bounty hunters 

inspirational guide 
Contact ​@BBerastegui​ if you want to have edit permissions ( it’ll be helpful to get some help :) ) 

Introduction: How to use this 

Ctrl+F (cmd+F if you are in a Mac) 
Search for whatever you are looking for inspiration about. 
Copy-and-paste template for sections at the end of the document. 
 
Ex.: ​Ctrl+F “RoR” 
 
  Tools 
  AWS pwn 
* / Misc / Multiple  Scout2 - Security auditing tool for AWS 
Information  environments 
JSON Hijacking  Zeus - AWS Auditing & Hardening Tool 
Compilation of Facebook bug bounty 
CORS 
writeups 
Information 
Posts / Examples 
HTTP access control (CORS) 
[List of bounties won by SintheticLabs 
team]  Posts / Examples 
How I Hacked Facebook, and Found  Exploiting CORS Misconfigurations for 
Someone's Backdoor Script  Bitcoins and Bounties 
Pre-domain wildcard CORS Exploitation 
Active Directory 
Information  Crypto 
Posts / Examples  Information 
Kerberoasting Without Mimikatz  Posts / Examples 
CBC "cut and paste" attack may cause 
Android  Open Redirect (even XSS) 
Information 
CSRF / SOP 
Posts / Examples 
Information 
Hacking android apps with Frida I 
Posts / Examples 
Authentication / Authorization  Exploiting CSRF on JSON endpoints with 
Posts / Examples  Flash and redirects 
Gaining access to private topics using  CSRF in 'set.php' via age causes stored 
quoting feature  XSS 
Getting any Facebook user's friend list  Plain text considered harmful: A 
and partial payment card details  cross-domain exploit 
Tools 
AWS 
Information  Csv injection 
EC2 - Instance Metadata and User Data  Information 
Posts / Examples  Posts / Examples 
 

Comma separated vulnerabilities 

HTTP Headers 
Everything about the CSV Excel Macro 
Practical HTTP Host header attacks 
Injection 
iOS 
Bluetooth 
Information / Tips 
Posts / Examples 
Reversing and exploiting BLE 4.0  IoT 
communication  Posts / Examples 
How to capture Bluetooth packets on  Philips Hue Reverse Engineering (BH Talk 
Android 4.4  ‘A Lightbulb Worm?’) 
This Is Not a Post About BLE, Introducing  Tools 
BLEAH 
JWT 
Desktop apps / Binaries 
Information 
Information 
Posts / Examples 
Posts / Examples 
Critical Vulnerability Uncovered in JSON 
XSS to RCE in Atlassian Hipchat  Encryption 
Modern Alchemy: Turning XSS into RCE  Tools 
Tools 
LFI/RFI 
Directory/path traversal  Information 
Information  Posts / Examples 
Django / Python  NodeJS 
Information  Posts / Examples 
Posts / Examples 
Exploring server-side template injection  OAUTH 
in Flask Jinja2  Information 
Injecting Flask  Posts / Examples 
Uber 遠端代碼執行- Uber.com Remote  Login CSRF + Open Redirect -> Account 
Code Execution via Flask Jinja2 Template  Takeover 
Injection  Tools 
Tools 
Open redirect 
Ethereum  Posts / Examples 
Posts / Examples  Airbnb – Chaining Third-Party Open 
Thinking About Smart Contract Security  Redirect into Server-Side Request 
Forgery (SSRF) via LivePerson Chat 
Exploiting 
Information / Training  Powershell 
Linux Heap Exploitation Intro Series: Used  Information 
and Abused – Use After Free  15 Ways to Bypass the PowerShell 
Return oriented programming  Execution Policy 
Hunting In Memory  Physical attacks / USB / HARDWARE 
Google web toolkit (GWT)  Information 
From Serialized to Shell :: Auditing Google  Posts / Examples 
Web Toolkit  Real-world Rubber Ducky attacks with 
Empire stagers 
 

The road to your codebase is paved with 

Red team exercises 
forged assertions 
Information 
Slack SAML authentication bypass 
Red team tips 
Tools 
Posts / Examples 
SAMLRaider - Burp extension 
From APK to Golden Ticket 
Serialization 
Restricted shells 
INFOrmation 
Information 
Java-Deserialization-Cheat-Sheet 
RCE  Posts / Examples 
Information  Attacking Java Deserialization 
Posts / Examples  Tools 
Leveraging LFI to RCE using zip://  A proof-of-concept tool for generating 
Yahoo! RCE via Spring Engine SSTI  payloads that exploit unsafe Java object 
deserialization 
RFID 
SOAP 
INFOrmation 
Posts / Examples 
Reverse engineering (Firmwares)  Don’t Drop the SOAP: Real World Web 
Posts / Examples  Service Testing 
Hacking a counterfeit money detector for  SQL Injection 
fun and non-profit 
Exploiting Second Order SQLi Flaws by 
Router exploitation  using Burp & Custom Sqlmap Tamper 
Posts / Examples  SSRF 
SQL Injection to MIPS Overflows: Rooting  Information 
SOHO Routers 
Server Side Request Forgery Vulnerability 
Flash Dumping - Part I 
SSRF tips 
Ruby on Rails (RoR)  SSRF (Server Side Request Forgery) 
Posts / Examples  testing resources 
Airbnb – Ruby on Rails String  SSRF Injection (PayloadsAllTheThings) 
Interpolation led to Remote Code  Posts / Examples 
Execution  SSRF, Memcached and other key-value 
GitHub Enterprise Remote Code  injections in the wild 
Execution  Escalating XSS in PhantomJS Image 
Attacking Ruby on Rails applications  Rendering to SSRF/Local-File Read 
Github Enterprise SQL Injection  Tips 
RoR SQL Injection cheatsheet 
Subdomain takeover / domain takeover 
SAML  Information 
Information  Posts / Examples 
Short SAML introduction  Mailgun misconfiguration leads to email 
SAML 2.0 Protocols  snooping and postmaster@-access 
How SAML Works  Authentication bypass via subdomain 
takeover 
Dev Overview of SAML 
Tools 
Posts / Examples 
 

UPnP  XSS / Javascript-fu 

Information  Information 
“research of security risks that exist in  What can be really done with Cross-site 
UPnP implementations”  Scripting 
Posts / Examples  Bypassing Signature-Based XSS Filters: 
Sending a video content to a DLNA/UPnP  Modifying Script Code 
software/device using curl  ECMAScript 6 for Penetration Testers 
Adventures in UPnP with cURL and netcat  Posts / Examples 
Tools  “Another vulnerability in Facebook” 
XSS via a spoofed React element 
WAF 
7500$ worth DOM XSS in Facebook 
Information 
Mobile Site 
Posts / Examples 
Stored XSS on Facebook 
Tools 
AngularJS - Escaping the Expression 
Web services  Sandbox for XSS 
Information  Tools / Tips / Bypasses 
“Flaws of today's web service standards  Bypassing filters / Breaking context 
and implementations in regard to web  Exploiting CSRF 
service security” 
XXE 
Posts / Examples 
Information 
Tools 
XXE Cheatsheet 
Windows - Penetration testing  XXE payloads 
RDP hijacking — how to hijack RDS and  Exploitation: XML External Entity (XXE) 
RemoteApp sessions transparently to  Injection 
move through an organisation  Posts / Examples 
Tools  XML External Entity Injection in Jive-n 
(CVE-2018-5758) 
Windows - exploiting 
Information  Cheatsheets (to be cleaned) 
Injecting code into remote process   
Posts / Examples 
Tools 

   
 

* / Misc / Multiple 
Information 
https://portswigger.net/kb/issues 
 

JSON Hijacking 
Keywords: JSON, hijacking 
https://haacked.com/archive/2009/06/25/json-hijacking.aspx/ 

Compilation of Facebook bug bounty writeups 

Keywords: Facebook, compilation, writeup, bug bounty 
https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640/ 

Posts / Examples 
[List of bounties won by SintheticLabs team] 
Keywords: H1, bounty 
https://h1.sintheticlabs.com/ 

How I Hacked Facebook, and Found Someone's Backdoor 

Script 
Keywords: SQLi, Facebook, RCE 
http://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver
/ 

Active Directory 
Information 
Posts / Examples 
Kerberoasting Without Mimikatz 
Keywords: Kerberos, AD 
https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ 

Android 
Information 
Posts / Examples 
Hacking android apps with Frida I 
Keywords: Frida, Android, DBI 
 

https://www.codemetrix.net/hacking-android-apps-with-frida-1/ 
 

Authentication / Authorization 
Posts / Examples 
Gaining access to private topics using quoting feature 
Keywords: Discourse, authorization bypass, forum 
https://hackerone.com/reports/312647 

Getting any Facebook user's friend list and partial 

payment card details 
Keywords: Facebook, authorization, GraphQL 
https://www.josipfranjkovic.com/blog/facebook-friendlist-paymentcard-leak 
 

AWS 
Information 
EC2 - Instance Metadata and User Data 
Keywords: EC2 
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html 

Posts / Examples 
Tools 
AWS pwn 
Keywords: AWS 
https://github.com/dagrz/aws_pwn 

Scout2 - Security auditing tool for AWS environments 

Keywords: AWS, Scout2, NCC 
https://github.com/nccgroup/Scout2 

Zeus - AWS Auditing & Hardening Tool 

Keywords: AWS, hardening 
https://github.com/DenizParlak/Zeus 

CORS 
Information 
HTTP access control (CORS) 
 

Keywords: CORS 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS 

Posts / Examples 
Exploiting CORS Misconfigurations for Bitcoins and 
Bounties 
Keywords: CORS 
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html 

Pre-domain wildcard CORS Exploitation 

Keywords: CORS 
https://medium.com/@arbazhussain/pre-domain-wildcard-cors-exploitation-2d6ac1d4bd30 
 
 
 

Crypto 
Information 
https://sites.google.com/site/cryptocrackprogram 
https://r12a.github.io/uniview 
https://github.com/nccgroup/featherduster 
 

Posts / Examples 
CBC "cut and paste" attack may cause Open Redirect (even 
XSS) 
Keywords: CBC, crypto, redirect, token 
https://hackerone.com/reports/126203 

CSRF / SOP 
Information 
Authoritative guide to CORS (Cross-Origin Resource Sharing) 
for REST APIs 
Keywords: CSRF 
https://www.moesif.com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Shari
ng-for-REST-APIs/ 

Posts / Examples 
Exploiting CSRF on JSON endpoints with Flash and redirects 
 

Keywords: CSRF, JSON 

https://blog.appsecco.com/exploiting-csrf-on-json-endpoints-with-flash-and-redirects-681d4ad6b31b 

CSRF in 'set.php' via age causes stored XSS 

Keywords: Rockstar, CSRF, XSS 
https://hackerone.com/reports/152013 

Plain text considered harmful: A cross-domain exploit 

Keywords: SOP, JSONP, CSRF, Javascript 
http://balpha.de/2013/02/plain-text-considered-harmful-a-cross-domain-exploit/ 

Tools 

Csv injection 
Information 
Posts / Examples 
Comma separated vulnerabilities 
Keywords: Openoffice, Libreoffice, Excel, export to csv 
https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/ 

Everything about the CSV Excel Macro Injection 

Keywords: Excel, macro injection 
http://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/ 
 
Exploiting ‘Export as CSV’ functionality:The road to CSV 
Injection 
Keywords: export as csv 
http://www.tothenew.com/blog/csv-injection/ 
 
Cloud Security Risks (P2): CSV Injection in AWS CloudTrail 
Keywords: AWS 
https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/ 
 
 
http://blog.zsec.uk/csv-dangers-mitigations/ 
 

Bluetooth 
Posts / Examples 
Reversing and exploiting BLE 4.0 communication 
Keywords: BLE, Bluetooth 
http://payatu.com/reversing-exploiting-ble-4-0-communication/ 
 

How to capture Bluetooth packets on Android 4.4 

Keywords: BLE, Bluetooth, Android 
https://www.nowsecure.com/blog/2014/02/07/bluetooth-packet-capture-on-android-4-4/ 

This Is Not a Post About BLE, Introducing BLEAH 

Keywords: BLE, Bluetooth 
https://www.evilsocket.net/2017/09/23/This-is-not-a-post-about-BLE-introducing-BLEAH/ 
 
 

Desktop apps / Binaries 

Information 
Posts / Examples 
XSS to RCE in Atlassian Hipchat 
Keywords: RCE, XSS, Desktop, Electron 
https://maustin.net/2015/11/12/hipchat_rce.html 

Modern Alchemy: Turning XSS into RCE 

Keywords: RCE, XSS, Desktop, Electron 
https://blog.doyensec.com/2017/08/03/electron-framework-security.html 

Tools 

Directory/path traversal 
Information 
Directory Traversal Checklist 
Keywords: checklist, path traversal, directory traversal 
● 16 bit Unicode encoding: 
○ . = %u002e, / = %u2215, \ = %u2216  
● Double URL encoding: 
○ . = %252e, / = %252f, \ = %255c   
● UTF-8 Unicode encoding: 
○ . = %c0%2e, %e0%40%ae, %c0ae, / = %c0%af, %e0%80%af, %c0%2f, \ = %c0%5c, 
%c0%80%5c 

Django / Python 
Information 
 

Posts / Examples 
Exploring server-side template injection in Flask Jinja2 
Keywords: Flask, Jinja2 
https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/ 

Injecting Flask 
Keywords: Flask 
https://nvisium.com/blog/2015/12/07/injecting-flask/ 

Uber 遠端代碼執行- Uber.com Remote Code Execution via Flask 

Jinja2 Template Injection 
Keywords: Flask, Jinja2 
http://blog.orange.tw/2016/04/bug-bounty-uber-ubercom-remote-code_7.html 

Tools 

Ethereum 
Posts / Examples 
Thinking About Smart Contract Security 
https://blog.ethereum.org/2016/06/19/thinking-smart-contract-security/ 
 

Exploiting 
Information / Training 
Linux Heap Exploitation Intro Series: Used and Abused – Use 
After Free 
Keywords: use after free 
https://sensepost.com/blog/2017/linux-heap-exploitation-intro-series-used-and-abused-use-after-free/ 

Return oriented programming 

Keywords: ROP, training 
https://ropemporium.com/ 

Hunting In Memory 
Keywords: shellcode injection, reflective DLL injection, memory module, process and module hollowing, Gargoyle (ROP/APC) 
https://www.endgame.com/blog/technical-blog/hunting-memory 

Google web toolkit (GWT) 

From Serialized to Shell :: Auditing Google Web Toolkit 
Keywords: GWT, RCE, serialization 
 

https://srcincite.io/blog/2017/04/27/from-serialized-to-shell-auditing-google-web-toolkit.html 

HTTP Headers 
Practical HTTP Host header attacks 
Keywords: HTTP Headers, Host, cache poisoning 
http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html 

iOS 
Information / Tips 
“​Easy network monitoring on non jailbroken iOS: 
1/ connect your iOS device to your macOS via USB 
2/ rvictl -s <UDID> 
3/ tcpdump|wireshark -i rvi0​” 

IoT 
Posts / Examples 
Philips Hue Reverse Engineering (BH Talk ‘A Lightbulb 
Worm?’) 
Keywords: Philips hue, IoT, Zigbee 
http://colinoflynn.com/2016/08/philips-hue-r-e-whitepaper-from-black-hat-2016/ 

Tools 

JWT 
Information 
Posts / Examples 
Critical Vulnerability Uncovered in JSON Encryption 
Keywords: JWT, json 
http://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html 

Tools 

LFI/RFI 
 

Information 
https://highon.coffee/blog/lfi-cheat-sheet/ 
https://www.hackthis.co.uk/articles/shell-via-lfi-and-procselfenviron 
https://blog.g0tmi1k.com/2012/02/kioptrix-level-4-local-file/ 

Posts / Examples 
LOCAL FILE READ VIA XSS IN DYNAMICALLY GENERATED PDF 
Keywords: XSS, LFI, pdf generator, pdf 
http://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html 
 
PHP Remote File Inclusion command shell using data:// 
Keywords: PHP, RFI, LFI, URI 
https://www.idontplaydarts.com/2011/03/php-remote-file-inclusion-command-shell-using-data-stream/ 
 

NodeJS 
Posts / Examples 
[demo.paypal.com] Node.js code injection (RCE) 
Keywords: Paypal, Node, NodeJS, RCE 
http://artsploit.blogspot.com.es/2016/08/pprce2.html 
 
Exploiting Node.js deserialization bug for Remote Code 
Execution 
Keywords: Node, NodeJS, RCE 
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-exec
ution/ 

OAUTH 
Information 
Posts / Examples 
Login CSRF + Open Redirect -> Account Takeover 
Keywords: Uber, CSRF, account takeover, Oauth theft 
http://ngailong.com/uber-login-csrf-open-redirect-account-takeover/ 

Tools 
 

Open redirect 
Posts / Examples 
Airbnb – Chaining Third-Party Open Redirect into Server-Side 
Request Forgery (SSRF) via LivePerson Chat 
Keywords: SSRF 
http://buer.haus/2017/03/09/airbnb-chaining-third-party-open-redirect-into-server-side-request-forgery
-ssrf-via-liveperson-chat/ 

Powershell 
Information 
15 Ways to Bypass the PowerShell Execution Policy 
Keywords: Powershell, policy, bypass 
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ 
 

Physical  attacks  /  USB  / 

HARDWARE 
Information 
Posts / Examples 
Real-world Rubber Ducky attacks with Empire stagers 
Keywords: Empire, Rubber Ducky, USB 
https://www.sc0tfree.com/sc0tfree-blog/optimizing-rubber-ducky-attacks-with-empire-stagers 

Red team exercises 

Information 
Red team tips 
Keywords: red team, tips 
https://vincentyiu.co.uk/red-team-tips/ 

Posts / Examples 
From APK to Golden Ticket 
Keywords: red team, apk, golden ticket 
 

https://docs.google.com/document/d/1XWzlOOuoTE7DUK60qTk1Wz1VNhbPaHqKEzyxPfyW4GQ 
 

Restricted shells 
Information 
Escape From SHELLcatraz - Breaking Out of Restricted Unix 
Shells 
Keywords: shell escapes, restricted shell 
https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells 

RCE 
Information 
Template injection 
Keywords: template, Mako, Jinja, Twig, Smarty 

Posts / Examples 
Leveraging LFI to RCE using zip:// 
Keywords: Php, LFI, RCE, uri, data uri 
http://www.sxcurity.pro/2017/01/01/zip-to-rce-lfi/ 
 

Yahoo! RCE via Spring Engine SSTI 

Keywords: RCE, SSTI, template, Spring 
https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/ 

RFID 
INFOrmation 
RFID Hacking with The Proxmark 3 
Keywords: Proxmark 3, RFID, getting started 
https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/ 

Reverse engineering (Firmwares) 

Posts / Examples 
Hacking a counterfeit money detector for fun and 
non-profit 
Keywords: money detector, reverse engineering, firmware 
http://blog.ioactive.com/2013/10/hacking-counterfeit-money-detector-for.html 
 

Router exploitation 
Posts / Examples 
SQL Injection to MIPS Overflows: Rooting SOHO Routers 
http://media.blackhat.com/bh-us-12/Briefings/Cutlip/BH_US_12_Cutlip_SQL_Exploitation_WP.pdf 

Flash Dumping - Part I 

https://blog.quarkslab.com/flash-dumping-part-i.html 
 
 

Ruby on Rails (RoR) 

Posts / Examples 
 

Airbnb – Ruby on Rails String Interpolation led to Remote 

Code Execution 
http://buer.haus/2017/03/13/airbnb-ruby-on-rails-string-interpolation-led-to-remote-code-execution/ 

GitHub Enterprise Remote Code Execution 

http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html 

Attacking Ruby on Rails applications 

http://phrack.org/issues/69/12.html 

Github Enterprise SQL Injection 

http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html 

RoR SQL Injection cheatsheet 

https://rails-sqli.org/ 
 
 

   
 

SAML 
Information 

Short SAML introduction 

http://www.economyofmechanism.com/office365-authbypass.html 

SAML 2.0 Protocols 

https://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile 

How SAML Works 

https://auth0.com/blog/how-saml-authentication-works/ 

Dev Overview of SAML 

https://developers.onelogin.com/saml 
 

Posts / Examples 
The road to your codebase is paved with forged assertions 
http://www.economyofmechanism.com/github-saml.html 
 

Slack SAML authentication bypass 

http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html 
 

Tools 
SAMLRaider - Burp extension 
https://github.com/SAMLRaider/SAMLRaider 

   
 

Serialization 
INFOrmation 
Java-Deserialization-Cheat-Sheet 
Keywords: Java, serialization, deserialization, cheatsheet 
https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet 

Posts / Examples 
Attacking Java Deserialization 
Keywords: Java, serialization, deserialization 
https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/ 

Tools 
A proof-of-concept tool for generating payloads that 
exploit unsafe Java object deserialization 
Keywords: Java, serialization, deserialization, ysoserial 
https://github.com/frohoff/ysoserial/ 

SOAP 
Posts / Examples 
Don’t Drop the SOAP: Real World Web Service Testing 
https://media.blackhat.com/bh-us-11/Johnson/BH_US_11_JohnsonEstonAbraham_Dont_Drop_the_SOAP_W
P.pdf 

SQL Injection 
Exploiting Second Order SQLi Flaws by using Burp & Custom 
Sqlmap Tamper 
Keywords: SQLi, sqlmap 
https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/ 
 
SQL Injection on sctrack.email.uber.com.cn 
https://hackerone.com/reports/150156 

SSRF 
Information 
 

Server Side Request Forgery Vulnerability 

Keywords: SSRF 
http://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ 

SSRF tips 
Keywords: SSRF, tips, cheatsheet 
http://blog.safebuff.com/2016/07/03/SSRF-Tips/ 

SSRF (Server Side Request Forgery) testing resources 

Keywords: SSRF, tips, cheatsheet 
https://github.com/cujanovic/SSRF-Testing 

SSRF Injection (PayloadsAllTheThings) 

Keywords: SSRF, tips, cheatsheet, bypass 
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SSRF%20injection 
 

Posts / Examples 
On “Open Redirect”​ [​1​] 

SSRF, Memcached and other key-value injections in the 

wild 
Keywords: SSRF, memcached 
https://medium.com/@d0znpp/ssrf-memcached-and-other-key-value-injections-in-the-wild-c8d223bd85
6f 

Escalating XSS in PhantomJS Image Rendering to 

SSRF/Local-File Read 
Keywords: SSRF, PhantomJS 
https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/ 
 
SSRF and local file disclosure in 
https://wordpress.com/media/videos/ via FFmpeg HLS 
processing 
Keywords: SSRF, FFmpeg 
https://hackerone.com/reports/237381 
https://hackerone.com/reports/115857​ (On Imgur) 
 
SVG Server Side Request Forgery (SSRF) 
Keywords: SSRF, SVG 
https://hackerone.com/reports/223203 
 
Stored XSS, and SSRF in Google using the Dataset Publishing 
Language 
Keywords: SSRF, XSS, Google, DSPL 
https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html 
 
SSRF in Exchange leads to ROOT access in all instances 
Keywords: SSRF, Google Cloud, Kubernetes 
https://hackerone.com/reports/341876 
 

 
 
 

Tips 
“If the vulnerable server is using cURL to make HTTP requests, it’s possible to use the dict URL schema to 
make requests to any host on any port and send custom data. 
The URL ​dict://locahost:11211/stat​ will cause the server to connect to localhost on port 11211 and send the 
string “stat”. Port 11211 is the default port used by Memcached.” 

Subdomain takeover​ / domain takeover 

Information 
Posts / Examples 
Mailgun misconfiguration leads to email snooping and 
postmaster@-access 
Keywords: takeover, email 
https://hackerone.com/reports/174983 

Authentication bypass via subdomain takeover 

Keywords: takeover, authentication bypass, sso 
https://hackerone.com/reports/172137 

Tools 

UPnP 
Information 
“research of security risks that exist in UPnP 
implementations” 
http://www.upnp-hacks.org/upnp.html 

Posts / Examples 
Sending a video content to a DLNA/UPnP software/device 
using curl 
http://www.accella.net/knowledgebase/sending-a-video-content-to-a-dlnaupnp-softwaredevice-using-c
url/ 
Adventures in UPnP with cURL and netcat 
https://coolaj86.com/articles/adventures-in-upnp-with-curl-and-netcat/ 
 

Tools 
 

WAF 
Information 
Web Application Firewall (WAF) Evasion Techniques (I & II) 
Keywords: WAF, bypass 
https://medium.com/secjuice/waf-evasion-techniques-718026d693d8 
https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0 

Posts / Examples 
Tools 

Web services 
Information 
“Flaws of today's web service standards and 
implementations in regard to web service security” 
http://ws-attacks.org/Welcome_to_WS-Attacks 

Posts / Examples 
Tools 
 

Windows - Penetration testing 

RDP hijacking — how to hijack RDS and RemoteApp sessions 
transparently to move through an organisation 
Keywords: RDP 
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transp
arently-to-move-through-an-da2a1e73a5f6 
 

Tools 
 

Slui File Handler Hijack UAC Bypass Local Privilege 

Escalation 
Keywords: Windows privilege escalation, UAC bypass 
https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation 
 

Windows - exploiting 
Information 
Injecting code into remote process 
http://www.tuxmealux.net/2015/03/10/code-injection/ 

Posts / Examples 
Tools 

XSS / Javascript-fu 
Information 
What can be really done with Cross-site Scripting 
Keywords: XSS, Brutelogic, tips 
https://docs.google.com/presentation/d/1v3Me8IWDuvSb1k96UB5RNyXE-hLHk0i6cf5MDJMaxuY/ 

Bypassing Signature-Based XSS Filters: Modifying Script 

Code 
Keywords: WAF, bypass, XSS 
https://support.portswigger.net/customer/en/portal/articles/2590820-bypassing-signature-based-xss-filte
rs-modifying-script-code 

ECMAScript 6 for Penetration Testers 

Keywords: ECMAscript, Javascript, XSS 
https://cure53.de/es6-for-penetration-testers.pdf 
 
Bypass any WAF for XSS easily 
Keywords: WAF, Javascript, XSS 
https://teamultimate.in/bypass-waf-xss-easily/ 
 
Universal Cross-site Scripting DB [+ other browser 
vulnerabilities] 
Keywords: data uri, Javascript, XSS 
https://github.com/Metnew/uxss-db 
 
XSS without HTML: Client-Side Template Injection with 
AngularJS 
Keywords: Angular, template 
 

http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html 
 
 
 

Posts / Examples 
“Another vulnerability in Facebook” 
https://habrahabr.ru/company/pt/blog/247709/ 

XSS via a spoofed React element 

Keywords: XSS, React 
http://danlec.com/blog/xss-via-a-spoofed-react-element 
https://hackerone.com/reports/49652 

7500$ worth DOM XSS in Facebook Mobile Site 

Keywords: XSS 
https://medium.com/@johnssimon_6607/7500-worth-dom-xss-in-facebook-mobile-site-144351f00b6c 

Stored XSS on Facebook 

Keywords: XSS 
https://opnsec.com/2018/03/stored-xss-on-facebook/ 

AngularJS - Escaping the Expression Sandbox for XSS 

Keywords: Angular, XSS 
https://spring.io/blog/2016/01/28/angularjs-escaping-the-expression-sandbox-for-xss 
 
Persistent DOM-based XSS in https://help.twitter.com via 
localStorage 
Keywords: Twitter, localStorage, DOM 
https://hackerone.com/reports/297968 
 

Tools / Tips / Bypasses 

Bypassing filters / Breaking context 
Keywords: XSS bypass, XSS 
['alert\x281\x29'].map(eval)
['aler','t(1)'].join('').replace(/.*/,eval)
alert`1`
<svg%0Ao%00nload=%09((pro\u006dpt))()//
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
<x oncut=y=prompt,y``>z
<a id="link" href="javascript://:%0aalert(1)">test</a>

Exploiting CSRF
Keywords: XSS, CSRF
<img src='x' onerror='$.post('${DOMAIN}.com', {params});' >
 

XXE 
Information 
XXE Cheatsheet 
Keywords: XXE, Cheatsheet 
https://web-in-security.blogspot.co.uk/2016/03/xxe-cheat-sheet.html 

XXE payloads 
Keywords: XXE, payloads, injection 
https://gist.github.com/staaldraad/01415b990939494879b4 

Exploitation: XML External Entity (XXE) Injection 

Keywords: XXE 
https://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection 
 
XXE: How to become a Jedi 
Keywords: XXE 
https://www.slideshare.net/ssuserf09cba/xxe-how-to-become-a-jedi 
 
Hunting in the Dark - Blind XXE 
Keywords: XXE, blind 
https://blog.zsec.uk/blind-xxe-learning/amp/ 
 

Posts / Examples 
XML External Entity Injection in Jive-n (CVE-2018-5758) 
Keywords: XXE, Word, DTD 
https://rhinosecuritylabs.com/research/xml-external-entity-injection-xxe-cve-2018-5758/ 

   
 

Cheatsheets (to be cleaned) 

 
All in one References / Full blogs/sites 
http://pwnwiki.io/#!index.md 
https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/ 
https://philippeharewood.com/ 
OSCP Reviews 
http://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob.html 
https://www.securitysift.com/offsec-pwb-oscp/ 
Enumeration Cheatsheet 
https://highon.coffee/blog/nmap-cheat-sheet/ 
https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/ 
http://www.0daysecurity.com/penetration-testing/enumeration.html 
Privilege Escalation 

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 
https://github.com/rebootuser/LinEnum 
https://www.securitysift.com/download/linuxprivchecker.py 
https://github.com/PenturaLabs/Linux_Exploit_Suggester 
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ 
https://www.youtube.com/watch?v=kMG8IsCohHA 
http://www.fuzzysecurity.com/tutorials/16.html 
https://toshellandback.com/2015/11/24/ms-priv-esc/ 
https://github.com/51x/WHP 
https://isc.sans.edu/diary/Windows+Command-Line+Kung+Fu+with+WMIC/1229 
Abusing SUDO (Linux Privilege Escalation) 
http://touhidshaikh.com/blog/?p=790 
 

Reverse Shell Cheatsheet 

https://www.phillips321.co.uk/2012/02/05/reverse-shell-cheat-sheet/ 
https://highon.coffee/blog/reverse-shell-cheat-sheet/ 
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 
Get TTY shell 
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ 
https://netsec.ws/?p=337 
Buffer Overflow 
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ 
http://netsec.ws/?p=180 
Msfvenom Cheatsheet 
http://security-geek.in/2016/09/07/msfvenom-cheat-sheet/ 
Porting Metasploit Exploits 
https://netsec.ws/?p=262 
Port forwarding & Pivoting 
https://artkond.com/2017/03/23/pivoting-guide/ 
http://atropineal.com/2016/11/18/pivoting-with-ssh-and-proxychains/ 
http://netsec.ws/?p=278 
Client-Side Attacks 
https://www.offensive-security.com/metasploit-unleashed/client-side-exploits/ 
Practice 
https://www.hackthebox.eu/ 
https://www.vulnhub.com/ 
https://exploit-exercises.com/ 
https://shellterlabs.com/en/