Web Application Hacker's Handbook Task checklist as a Github-Flavored Markdown file
KathanP19
/ noobrecon.sh
Created
March 27, 2020 15:25
— forked from noobh4x/noobrecon.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #################################### | |
| # Config | |
| ################## | |
| HTTPROBE_CONCURRENCY=100 | |
| HTTPROBE_TIMEOUT=3000 | |
| DIRSEARCH_THREADS=50 |
KathanP19
/ cloud_metadata.txt
Created
April 23, 2020 02:37
— forked from jhaddix/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## AWS | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/ami-id | |
| http://169.254.169.254/latest/meta-data/reservation-id | |
| http://169.254.169.254/latest/meta-data/hostname | |
| http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key |
KathanP19
/ auto_git_query_fav
Created
May 18, 2020 03:45
— forked from nullenc0de/auto_git_query_fav
Auto_git Favs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://github.com/search?q=\?AccessKeyId= OR _02ddd67d5586_key= OR 0HB_CODESIGN_GPG_PASS= OR 0HB_CODESIGN_KEY_PASS=&s=indexed&type=Code | |
| https://github.com/search?q=0VIRUSTOTAL_APIKEY= OR ACCESS KEY ID = OR ACCESS_KEY_ID= OR ACCESS_KEY_SECRET= OR ACCESS_KEY=&s=indexed&type=Code | |
| https://github.com/search?q=ACCESS_SECRET= OR ACCESSKEY= OR ACCESSKEYID= OR ADZERK_API_KEY= OR ALGOLIA_ADMIN_KEY_1=&s=indexed&type=Code | |
| https://github.com/search?q=ALGOLIA_ADMIN_KEY_2= OR ALGOLIA_ADMIN_KEY_MCM= OR ALGOLIA_API_KEY_MCM= OR ALGOLIA_API_KEY_SEARCH=&s=indexed&type=Code | |
| https://github.com/search?q=ALGOLIA_API_KEY= OR ALGOLIA_SEARCH_API_KEY= OR ALGOLIA_SEARCH_KEY_1= OR ALGOLIA_SEARCH_KEY=&s=indexed&type=Code | |
| https://github.com/search?q=ALIAS_PASS= OR ALICLOUD_ACCESS_KEY= OR ALICLOUD_SECRET_KEY= OR AMAZON_SECRET_ACCESS_KEY=&s=indexed&type=Code | |
| https://github.com/search?q=ANSIBLE_VAULT_PASSWORD= OR aos_key= OR API_KEY_MCM= OR API_KEY_SECRET= OR API_KEY_SID= OR API_KEY=&s=indexed&type=Code | |
| https://github.com/search?q=API_SECRE |
KathanP19
/ auto_git_query
Created
May 18, 2020 03:46
— forked from nullenc0de/auto_git_query
Automated Github Queries (Can open 29 tabs at a time)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://github.com/search?q=BROWSER_STACK_ACCESS_KEY= OR BROWSER_STACK_USERNAME= OR browserConnectionEnabled= OR BROWSERSTACK_ACCESS_KEY=&s=indexed&type=Code | |
| https://github.com/search?q=CHROME_CLIENT_SECRET= OR CHROME_EXTENSION_ID= OR CHROME_REFRESH_TOKEN= OR CI_DEPLOY_PASSWORD= OR CI_DEPLOY_USER=&s=indexed&type=Code | |
| https://github.com/search?q=CLOUDAMQP_URL= OR CLOUDANT_APPLIANCE_DATABASE= OR CLOUDANT_ARCHIVED_DATABASE= OR CLOUDANT_AUDITED_DATABASE=&s=indexed&type=Code | |
| https://github.com/search?q=CLOUDANT_ORDER_DATABASE= OR CLOUDANT_PARSED_DATABASE= OR CLOUDANT_PASSWORD= OR CLOUDANT_PROCESSED_DATABASE=&s=indexed&type=Code | |
| https://github.com/search?q=CONTENTFUL_PHP_MANAGEMENT_TEST_TOKEN= OR CONTENTFUL_TEST_ORG_CMA_TOKEN= OR CONTENTFUL_V2_ACCESS_TOKEN=&s=indexed&type=Code | |
| https://github.com/search?q=-DSELION_BROWSER_RUN_HEADLESS= OR -DSELION_DOWNLOAD_DEPENDENCIES= OR -DSELION_SELENIUM_RUN_LOCALLY=&s=indexed&type=Code | |
| https://github.com/search?q=ELASTICSEARCH_PASSWORD= OR ELASTICSEARCH_USERNAME= OR EMAIL_NOTIFI |
KathanP19
/ One liner for gathering urls.
Created
July 19, 2020 04:23
One-liner for crawling domain list of sub-domains << extract urls with parameters << filter the result to only 4 urls for each endpoint >> filter urls to delete unwanted extensions.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cat sub-domains.txt | hakrawler | grep 'http' | cut -d ' ' -f 2 > crawling.txt && gau -subs http://domain.com >> crawling.txt && waybackurls http://domain.com >> crawling.txt && cat crawling.txt | grep "?" | unfurl --unique format %s://%d%p > base.txt ; cat base.txt | parallel -j 4 grep {} -m5 crawling.txt | tee final1.txt; cat final1.txt | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" > final.txt && rm -rf base.txt final1.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| filename=$(echo '$1' | awk -F/ '{print $(NF-0)}') | |
| python3 ./tools/jsbeautify.py $1 $filename | |
| mv $filename ./jsfiles/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| target=$1 | |
| echo -e "\e[1;33m$target\n\e[32m"; | |
| curl -s $target | grep -Eo "var [a-zA-Z0-9_]+" | sort -u | cut -d" " -f2 | awk 'length($1) >= 3 {print $1}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #This code is taken from https://github.com/dwisiswant0/findom-xss Do check it out. | |
| PATTERN="(document|location|window)\.(URL|documentURI|search|hash|referrer|(location\.)?href|name)" | |
| BODY=$(curl -sL ${1}) | |
| SCAN=($(echo ${BODY} | grep -Eoin ${PATTERN})) | |
| if [[ ! -z "${SCAN}" ]]; then | |
| echo -en "---\n\033[0;32m[!] ${1}\033[0m\n${SCAN}\n" | |
| echo -e "---\n${1}\n${SCAN}" >> domxss_scan.txt |
KathanP19
/ WAHH_Task_Checklist.md
Last active
November 10, 2020 14:05
— forked from jhaddix/Testing_Checklist.md
The Web Application Hacker's Handbook - Task Checklist - Github-Flavored Markdown
KathanP19
/ xsstest.json
Last active
November 20, 2020 07:23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "apiVersion" : "1.0", | |
| "apis" : [ { | |
| "description" : "XSS test", | |
| "path" : "a", | |
| "position" : 0 | |
| }], | |
| "authorizations" : { }, | |
| "info" : { | |
| "contact" : "mala@ma.la", |
OlderNewer