Aircrack-NG Cheat Sheet

Github Dorks Cheatsheet

Find files with sensitive info, API Keys, Tokens and Passwords.

+ list of github dorks automation tools

Windows useful Directories

Chrome has just unleashed popovers: modal dialogs without JS! Of course you can abuse them for XSS filter evasion

SSRF Techniques Roadmap

Burp Suite 2023.8+ includes a feature that theoretically makes opening untrusted project files safe. If you find a bypass, you're probably eligible for a bounty - check the full details here:

https://portswigger.net/burp/releases/professional-community-2023-8

Periodical reminder: it's possible to navigate sub-tabs (like Repeater entries) from the keyboard.

You simply have to configure the actions "Go to previous tab" and "Go to next tab".

Burp Suite

As Burp Suite is developed in Java, regexes may use embedded flag expressions like "(?m)"

Here's a detailled description of all the possibilities (including embedded flags, character classes, quantifiers, groups, ...)

Bug Bounty Tip

GBK Encoding / MultiByte Attack

嘊 = %E5%98%8A = \u560a ⇒ %0A
嘍 = %E5%98%8D = \u560d ⇒ %0D
嘾 = %E5%98%BE = \u563e ⇒ %3E (>)
嘼 = %E5%98%BC = \u563c ⇒ %3C (<)
嘢 = %E5%98%A2 = \u5622 ⇒ %22 (')
嘧 = %E5%98%A7 = \u5627 ⇒ %27 (")

For XSS, CRLF, WAF bypass

CSP Protection Bypass (using Google domain)

/o/oauth2/revoke?callback=alert(1);console.log

Useful for local privesc on Windows systems; find unquoted service path using the following:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

#OSCP #Windows

https://portswigger.net/burp/documentation/desktop/settings/network/tls#tls-negotiation


Burp Suite 2023.10 is harder to fingerprint than earlier versions as it now sets 'Accept-Encoding: gzip, deflate, br'. If you're still blocked, you might bypass it by tinkering with your TLS ciphers using "Network->TLS -> Use custom protocols and ciphers"