Common security flaws in password reset functionality compiled from twitter, writeups, disclosed reports. [1] Password Reset Token Leak Via Referrer The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed Exploitation Request password reset to your email address Click on the password reset link Dont change password Click any 3rd party websites(eg: Facebook, twitter) Intercept the request in burpsuite proxy Check if the referer header is leaking password reset token.

Android Pentesting Android Pentesting Sources from Hacking articles https://www.hackingarticles.in/android-penetration-testing-apk-reverse-engineering/ https://www.hackingarticles.in/android-penetration-testing-apk-reversing-part-2/ https://www.hackingarticles.in/android-pentest-deep-link-exploitation/ https://www.hackingarticles.in/android-penetration-testing-webview-attacks/ https://www.hackingarticles.in/android-penetration-testing-frida/ https://www.hackingarticles.in/android-pentest-lab-setup-adb-command-cheatsheet/ https://www.hackingarticles.in/android-hooking-and-sslpinning-using-objection-framework/ https://www.hackingarticles.in/android-penetration-testing-drozer/ https://www.hackingarticles.in/android-pentest-automated-analysis-using-mobsf/ Oneliner to extract url from apk apktool -d com.uber -o uberAPK; grep -Phro "(https?://)[\w\,-/]+[\"\']" uberAPK/ | sed 's#"##g' | anew | grep -v "w3\|android\|github\|schemes.android\|google\|goo.gl" Looking for an easy way to open arbitrary URLs in Android apps? Download jadx decompiler and install adb Open AndroidManifest.xml Find all browser activities (must contain ) Run “adb shell am start -n app_package_name/component_name -a android.

Upload Function Upload Function Extensions Impact ASP, ASPX, PHP5, PHP, PHP3: Webshell, RCE SVG: Stored XSS, SSRF, XXE GIF: Stored XSS, SSRF CSV: CSV injection XML: XXE AVI: LFI, SSRF HTML, JS : HTML injection, XSS, Open redirect PNG, JPEG: Pixel flood attack (DoS) ZIP: RCE via LFI, DoS PDF, PPTX: SSRF, BLIND XXE Blacklisting Bypass PHP → .phtm, phtml, .phps, .pht, .

GoSpider - Fast web spider written in Go This is a tool i use for recon because it utilises js linkfinder and is easy to setup for burp crawl. For Example: gospider -p "http://localhost:8080" -w -a -d 0 -s "https://example.com" Installation go get -u github.com/jaeles-project/gospider Features Fast web crawling Brute force and parse sitemap.xml Parse robots.txt Generate and verify link from JavaScript files Link Finder Find AWS-S3 from response source Find subdomains from response source Get URLs from Wayback Machine, Common Crawl, Virus Total, Alien Vault Format output easy to Grep Support Burp input Crawl multiple sites in parallel Random mobile/web User-Agent Showcases

Subfinder Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well. We have designed subfinder to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike.

Wordpress Security Scanner WPScan is a free (for non-commercial use) black box WordPress security scanner written for security professionals and bloggers to test the security of their sites. INSTALL Prerequisites (Optional but highly recommended: RVM) Ruby >= 2.5 - Recommended: latest Ruby 2.5.0 to 2.5.3 can cause an ‘undefined symbol: rmpd_util_str_to_d’ error in some systems, see #1283 Curl >= 7.72 - Recommended: latest The 7.

Tag-attribute separators Sometimes filters naively assume only certain characters can separate a tag and its attributes, here’s a full list of valid separators that work in firefox and chrome: Decimal value URL Encoded Human desc 47 %2F Foward slash 13 %0D Carriage Return 12 %0C Form Feed 10 %0A New Line 9 %09 Horizontal Tab Examples Basically, if you have a payload that looks like: