2. 👾 Welcome!
  3. HackTricks
  4. HackTricks Values & FAQ
  5. About the author
  7. 🤩 Generic Methodologies & Resources
  8. Pentesting Methodology
  9. External Recon Methodology
    1. Wide Source Code Search
    2. Github Dorks & Leaks
  11. Pentesting Network
    1. DHCPv6
    2. EIGRP Attacks
    3. GLBP & HSRP Attacks
    4. IDS and IPS Evasion
    5. Lateral VLAN Segmentation Bypass
    6. Network Protocols Explained (ESP)
    7. Nmap Summary (ESP)
    8. Pentesting IPv6
    9. Telecom Network Exploitation
    10. WebRTC DoS
    11. Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
    12. Spoofing SSDP and UPnP Devices with EvilSSDP
  13. Pentesting Wifi
    1. Enable Nexmon Monitor And Injection On Android
    2. Evil Twin EAP-TLS
  15. Phishing Methodology
    1. Ai Agent Mode Phishing Abusing Hosted Agent Browsers
    2. Clipboard Hijacking
    3. Clone a Website
    4. Detecting Phishing
    5. Discord Invite Hijacking
    6. Homograph Attacks
    7. Mobile Phishing Malicious Apps
    8. Phishing Files & Documents
  17. Basic Forensic Methodology
    1. Adaptixc2 Config Extraction And Ttps
    2. Baseline Monitoring
    3. Anti-Forensic Techniques
    4. Docker Forensics
    5. Image Acquisition & Mount
    6. Ios Backup Forensics
    7. Linux Forensics
    8. Malware Analysis
    9. Memory dump analysis
      1. Volatility - CheatSheet
    11. Partitions/File Systems/Carving
      1. File/Data Carving & Recovery Tools
    13. Pcap Inspection
      1. DNSCat pcap analysis
      2. Suricata & Iptables cheatsheet
      3. USB Keystrokes
      4. Wifi Pcap Analysis
      5. Wireshark tricks
    15. Specific Software/File-Type Tricks
      1. Decompile compiled python binaries (exe, elf) - Retreive from .pyc
      2. Browser Artifacts
      3. Deofuscation vbs (cscript.exe)
      4. Discord Cache Forensics
      5. Local Cloud Storage
      6. Mach O Entitlements And Ipsw Indexing
      7. Office file analysis
      8. PDF File analysis
      9. PNG tricks
      10. Structural File Format Exploit Detection
      11. Video and Audio file analysis
      12. ZIPs tricks
    17. Windows Artifacts
      1. Interesting Windows Registry Keys
  19. Python Sandbox Escape & Pyscript
    1. Bypass Python sandboxes
      1. LOAD_NAME / LOAD_CONST opcode OOB Read
      2. Reportlab Xhtml2pdf Triple Brackets Expression Evaluation Rce Cve 2023 33733
    3. Class Pollution (Python's Prototype Pollution)
    4. Keras Model Deserialization Rce And Gadget Hunting
    5. Python Internal Read Gadgets
    6. Pyscript
    7. venv
    8. Web Requests
    9. Bruteforce hash (few chars)
    10. Basic Python
  21. Threat Modeling
  22. Blockchain & Crypto
    1. Mutation Testing With Slither
    2. Defi/AMM Hook Precision
  24. Lua Sandbox Escape
  26. 🧙‍♂️ Generic Hacking
  27. Archive Extraction Path Traversal
  28. Brute Force - CheatSheet
  29. Esim Javacard Exploitation
  30. Exfiltration
  31. Reverse Shells (Linux, Windows, MSFVenom)
    1. MSFVenom - CheatSheet
    2. Reverse Shells - Windows
    3. Reverse Shells - Linux
    4. Expose local to the internet
    5. Full TTYs
  33. Search Exploits
  34. Tunneling and Port Forwarding
  36. 🐧 Linux Hardening
  37. Linux Basics
  38. Checklist - Linux Privilege Escalation
  39. Linux Privilege Escalation
    1. Android Rooting Frameworks Manager Auth Bypass Syscall Hook
    2. Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244
    3. Arbitrary File Write to Root
    4. Cisco - vmanage
    5. Containerd (ctr) Privilege Escalation
    6. D-Bus Enumeration & Command Injection Privilege Escalation
    7. Docker Security
      1. Abusing Docker Socket for Privilege Escalation
      2. AppArmor
      3. AuthZ& AuthN - Docker Access Authorization Plugin
      4. CGroups
      5. Docker --privileged
      6. Docker Breakout / Privilege Escalation
        1. release_agent exploit - Relative Paths to PIDs
        2. Docker release_agent cgroups escape
        3. Sensitive Mounts
      8. Namespaces
        1. CGroup Namespace
        2. IPC Namespace
        3. PID Namespace
        4. Mount Namespace
        5. Network Namespace
        6. Time Namespace
        7. User Namespace
        8. UTS Namespace
      10. Seccomp
      11. Weaponizing Distroless
    9. Escaping from Jails
    10. Posix Cpu Timers Toctou Cve 2025 38352
    11. euid, ruid, suid
    12. Interesting Groups - Linux Privesc
      1. lxd/lxc Group - Privilege escalation
    14. Logstash
    15. ld.so privesc exploit example
    16. Linux Active Directory
    17. Linux Capabilities
    18. NFS no_root_squash/no_all_squash misconfiguration PE
    19. Node inspector/CEF debug abuse
    20. Payloads to execute
    21. RunC Privilege Escalation
    22. SELinux
    23. Socket Command Injection
    24. Splunk LPE and Persistence
    25. SSH Forward Agent exploitation
    26. Wildcards Spare tricks
  41. Useful Linux Commands
  42. Bypass Linux Restrictions
    1. Bypass FS protections: read-only / no-exec / Distroless
      1. DDexec / EverythingExec
  44. Linux Environment Variables
  45. Linux Post-Exploitation
    1. PAM - Pluggable Authentication Modules
  47. FreeIPA Pentesting
  49. 🍏 MacOS Hardening
  50. macOS Security & Privilege Escalation
    1. macOS Apps - Inspecting, debugging and Fuzzing
      1. Objects in memory
      2. Introduction to x64
      3. Introduction to ARM64v8
    3. macOS AppleFS
    4. macOS Bypassing Firewalls
    5. macOS Defensive Apps
    6. Macos Dyld Hijacking And Dyld Insert Libraries
    7. macOS GCD - Grand Central Dispatch
    8. macOS Kernel & System Extensions
      1. macOS IOKit
      2. macOS Kernel Extensions & Debugging
      3. macOS Kernel Vulnerabilities
      4. macOS System Extensions
    10. macOS Network Services & Protocols
    11. macOS File Extension & URL scheme app handlers
    12. macOS Files, Folders, Binaries & Memory
      1. macOS Bundles
      2. macOS Installers Abuse
      3. macOS Memory Dumping
      4. macOS Sensitive Locations & Interesting Daemons
      5. macOS Universal binaries & Mach-O Format
    14. macOS Objective-C
    15. macOS Privilege Escalation
    16. macOS Process Abuse
      1. macOS Dirty NIB
      2. macOS Chromium Injection
      3. macOS Electron Applications Injection
      4. macOS Function Hooking
      5. macOS IPC - Inter Process Communication
        1. macOS MIG - Mach Interface Generator
        2. macOS XPC
          1. macOS XPC Authorization
          2. macOS XPC Connecting Process Check
            1. macOS PID Reuse
            2. macOS xpc_connection_get_audit_token Attack
        4. macOS Thread Injection via Task port
      7. macOS Java Applications Injection
      8. macOS Library Injection
        1. macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
        2. macOS Dyld Process
      10. macOS Perl Applications Injection
      11. macOS Python Applications Injection
      12. macOS Ruby Applications Injection
      13. macOS .Net Applications Injection
    18. macOS Security Protections
      1. macOS Gatekeeper / Quarantine / XProtect
      2. macOS Launch/Environment Constraints & Trust Cache
      3. macOS Sandbox
        1. macOS Default Sandbox Debug
        2. macOS Sandbox Debug & Bypass
          1. macOS Office Sandbox Bypasses
      5. macOS Authorizations DB & Authd
      6. macOS SIP
      7. macOS TCC
        1. macOS Apple Events
        2. macOS TCC Bypasses
          1. macOS Apple Scripts
        4. macOS TCC Payloads
      9. macOS Dangerous Entitlements & TCC perms
      10. macOS - AMFI - AppleMobileFileIntegrity
      11. macOS MACF - Mandatory Access Control Framework
      12. macOS Code Signing
      13. macOS FS Tricks
        1. macOS xattr-acls extra stuff
    20. macOS Users & External Accounts
  52. macOS Red Teaming
    1. macOS MDM
      1. Enrolling Devices in Other Organisations
      2. macOS Serial Number
    3. macOS Keychain
  54. macOS Useful Commands
  55. macOS Auto Start
  57. 🪟 Windows Hardening
  58. Authentication Credentials Uac And Efs
  59. Checklist - Local Windows Privilege Escalation
  60. Windows Local Privilege Escalation
    1. Abusing Auto Updaters And Ipc
    2. Arbitrary Kernel Rw Token Theft
    3. Abusing Tokens
    4. Access Tokens
    5. ACLs - DACLs/SACLs/ACEs
    6. AppendData/AddSubdirectory permission over service registry
    7. Create MSI with WIX
    8. COM Hijacking
    9. Dll Hijacking
      1. Writable Sys Path +Dll Hijacking Privesc
    11. DPAPI - Extracting Passwords
    12. From High Integrity to SYSTEM with Name Pipes
    13. Integrity Levels
    14. JuicyPotato
    15. Leaked Handle Exploitation
    16. MSI Wrapper
    17. Named Pipe Client Impersonation
    18. Privilege Escalation with Autoruns
    19. RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
    20. SeDebug + SeImpersonate copy token
    21. SeImpersonate from High To System
    22. Semanagevolume Perform Volume Maintenance Tasks
    23. Windows C Payloads
  62. Active Directory Methodology
    1. Abusing Active Directory ACLs/ACEs
      1. BadSuccessor
      2. Shadow Credentials
    3. AD Certificates
      1. AD CS Account Persistence
      2. AD CS Domain Escalation
      3. AD CS Domain Persistence
      4. AD CS Certificate Theft
    5. Ad Certificates
    6. AD information in printers
    7. AD DNS Records
    8. Adws Enumeration
    9. ASREPRoast
    10. Badsuccessor Dmsa Migration Abuse
    11. BloodHound & Other AD Enum Tools
    12. Constrained Delegation
    13. Custom SSP
    14. DCShadow
    15. DCSync
    16. Diamond Ticket
    17. DSRM Credentials
    18. External Forest Domain - OneWay (Inbound) or bidirectional
    19. External Forest Domain - One-Way (Outbound)
    20. Golden Dmsa Gmsa
    21. Golden Ticket
    22. Kerberoast
    23. Kerberos Authentication
    24. Kerberos Double Hop Problem
    25. Lansweeper Security
    26. LAPS
    27. MSSQL AD Abuse
    28. Over Pass the Hash/Pass the Key
    29. Pass the Ticket
    30. Password Spraying / Brute Force
    31. PrintNightmare
    32. Force NTLM Privileged Authentication
    33. Privileged Groups
    34. RDP Sessions Abuse
    35. Resource-based Constrained Delegation
    36. Sccm Management Point Relay Sql Policy Secrets
    37. Security Descriptors
    38. SID-History Injection
    39. Silver Ticket
    40. Skeleton Key
    41. Timeroasting
    42. Unconstrained Delegation
  64. Windows Security Controls
    1. UAC - User Account Control
  66. NTLM
    1. Places to steal NTLM creds
  68. Lateral Movement
    1. AtExec / SchtasksExec
    2. DCOM Exec
    3. PsExec/Winexec/ScExec
    4. RDPexec
    5. SCMexec
    6. WinRM
    7. WmiExec
  70. Pivoting to the Cloud$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/index.html$$
  71. Stealing Windows Credentials
    1. Windows Credentials Protections
    2. Mimikatz
    3. WTS Impersonator
  73. Basic Win CMD for Pentesters
  74. Basic PowerShell for Pentesters
    1. PowerView/SharpView
  76. Antivirus (AV) Bypass
  77. Cobalt Strike
  78. Mythic
  80. 📱 Mobile Pentesting
  81. Android APK Checklist
  82. Android Applications Pentesting
    1. Accessibility Services Abuse
    2. Android Anti Instrumentation And Ssl Pinning Bypass
    3. Android Applications Basics
    4. Android Task Hijacking
    5. ADB Commands
    6. APK decompilers
    7. AVD - Android Virtual Device
    8. Bypass Biometric Authentication (Android)
    9. content:// protocol
    10. Drozer Tutorial
      1. Exploiting Content Providers
    12. Exploiting a debuggeable application
    13. Flutter
    14. Frida Tutorial
      1. Frida Tutorial 1
      2. Frida Tutorial 2
      3. Frida Tutorial 3
      4. Objection Tutorial
    16. Google CTF 2018 - Shall We Play a Game?
    17. In Memory Jni Shellcode Execution
    18. Insecure In App Update Rce
    19. Install Burp Certificate
    20. Intent Injection
    21. Make APK Accept CA Certificate
    22. Manual DeObfuscation
    23. React Native Application
    24. Reversing Native Libraries
    25. Shizuku Privileged Api
    26. Smali - Decompiling, Modifying, Compiling
    27. Spoofing your location in Play Store
    28. Tapjacking
    29. Webview Attacks
  84. iOS Pentesting Checklist
  85. iOS Pentesting
    1. Air Keyboard Remote Input Injection
    2. iOS App Extensions
    3. iOS Basics
    4. iOS Basic Testing Operations
    5. iOS Burp Suite Configuration
    6. iOS Custom URI Handlers / Deeplinks / Custom Schemes
    7. iOS Extracting Entitlements From Compiled Application
    8. iOS Frida Configuration
    9. iOS Hooking With Objection
    10. iOS Pentesting withuot Jailbreak
    11. iOS Protocol Handlers
    12. iOS Serialisation and Encoding
    13. iOS Testing Environment
    14. iOS UIActivity Sharing
    15. iOS Universal Links
    16. iOS UIPasteboard
    17. iOS WebViews
  87. Cordova Apps
  88. Xamarin Apps
  90. 👽 Network Services Pentesting
  91. Pentesting JDWP - Java Debug Wire Protocol
  92. Pentesting Printers$$external:http://hacking-printers.net/wiki/index.php/Main_Page$$
  93. Pentesting SAP
  94. Pentesting VoIP
    1. Basic VoIP Protocols
      1. SIP (Session Initiation Protocol)
  96. Pentesting Remote GdbServer
  97. 7/tcp/udp - Pentesting Echo
  98. 21 - Pentesting FTP
    1. FTP Bounce attack - Scan
    2. FTP Bounce - Download 2ºFTP file
  100. 22 - Pentesting SSH/SFTP
  101. 23 - Pentesting Telnet
  102. 25,465,587 - Pentesting SMTP/s
    1. SMTP Smuggling
    2. SMTP - Commands
  104. 43 - Pentesting WHOIS
  105. 49 - Pentesting TACACS+
  106. 53 - Pentesting DNS
  107. 69/UDP TFTP/Bittorrent-tracker
  108. 79 - Pentesting Finger
  109. 80,443 - Pentesting Web Methodology
    1. 403 & 401 Bypasses
    2. AEM - Adobe Experience Cloud
    3. Angular
    4. Apache
    5. Artifactory Hacking guide
    6. Bolt CMS
    7. Buckets
      1. Firebase Database
    9. CGI
    10. Django
    11. DotNetNuke (DNN)
    12. Drupal
      1. Drupal RCE
    14. Electron Desktop Apps
      1. Electron contextIsolation RCE via preload code
      2. Electron contextIsolation RCE via Electron internal code
      3. Electron contextIsolation RCE via IPC
    16. Flask
    17. Git
    18. Golang
    19. Grafana
    20. GraphQL
    21. H2 - Java SQL database
    22. IIS - Internet Information Services
    23. ImageMagick Security
    24. Ispconfig
    25. JBOSS
    26. Jira & Confluence
    27. Joomla
    28. JSP
    29. Laravel
    30. Microsoft Sharepoint
    31. Moodle
    32. NextJS
    33. Nginx
    34. NodeJS Express
    35. Sitecore
    36. PHP Tricks
      1. PHP - Useful Functions & disable_functions/open_basedir bypass
        1. disable_functions bypass - php-fpm/FastCGI
        2. disable_functions bypass - dl function
        3. disable_functions bypass - PHP 7.0-7.4 (-nix only)
        4. disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
        5. disable_functions - PHP 5.x Shellshock Exploit
        6. disable_functions - PHP 5.2.4 ionCube extension Exploit
        7. disable_functions bypass - PHP <= 5.2.9 on windows
        8. disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
        9. disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
        10. disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
        11. disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
        12. disable_functions bypass - PHP 5.2 - FOpen Exploit
        13. disable_functions bypass - via mem
        14. disable_functions bypass - mod_cgi
        15. disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
      3. Php Rce Abusing Object Creation New Usd Get A Usd Get B
      4. PHP SSRF
    38. PrestaShop
    39. Python
    40. Rocket Chat
    41. Ruby Tricks
    42. Special HTTP headers$$external:network-services-pentesting/pentesting-web/special-http-headers.md$$
    43. Source code Review / SAST Tools
    44. Special Http Headers
    45. Spring Actuators
    46. Symfony
    47. Tomcat
    48. Uncovering CloudFlare
    49. Vuejs
    50. VMWare (ESX, VCenter...)
    51. Web API Pentesting
    52. WebDav
    53. Werkzeug / Flask Debug
    54. Wordpress
  111. 88tcp/udp - Pentesting Kerberos
    1. Harvesting tickets from Windows
    2. Harvesting tickets from Linux
    3. Wsgi
    4. Zabbix
  113. 110,995 - Pentesting POP
  114. 111/TCP/UDP - Pentesting Portmapper
  115. 113 - Pentesting Ident
  116. 123/udp - Pentesting NTP
  117. 135, 593 - Pentesting MSRPC
  118. 137,138,139 - Pentesting NetBios
  119. 139,445 - Pentesting SMB
    1. Ksmbd Attack Surface And Fuzzing Syzkaller
    2. rpcclient enumeration
  121. 143,993 - Pentesting IMAP
  122. 161,162,10161,10162/udp - Pentesting SNMP
    1. Cisco SNMP
    2. SNMP RCE
  124. 194,6667,6660-7000 - Pentesting IRC
  125. 264 - Pentesting Check Point FireWall-1
  126. 389, 636, 3268, 3269 - Pentesting LDAP
  127. 500/udp - Pentesting IPsec/IKE VPN
  128. 502 - Pentesting Modbus
  129. 512 - Pentesting Rexec
  130. 513 - Pentesting Rlogin
  131. 514 - Pentesting Rsh
  132. 515 - Pentesting Line Printer Daemon (LPD)
  133. 548 - Pentesting Apple Filing Protocol (AFP)
  134. 554,8554 - Pentesting RTSP
  135. 623/UDP/TCP - IPMI
  136. 631 - Internet Printing Protocol(IPP)
  137. 700 - Pentesting EPP
  138. 873 - Pentesting Rsync
  139. 1026 - Pentesting Rusersd
  140. 1080 - Pentesting Socks
  141. 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
  142. 1414 - Pentesting IBM MQ
  143. 1433 - Pentesting MSSQL - Microsoft SQL Server
    1. Types of MSSQL Users
  145. 1521,1522-1529 - Pentesting Oracle TNS Listener
  146. 1723 - Pentesting PPTP
  147. 1883 - Pentesting MQTT (Mosquitto)
  148. 2049 - Pentesting NFS Service
  149. 2301,2381 - Pentesting Compaq/HP Insight Manager
  150. 2375, 2376 Pentesting Docker
  151. 3128 - Pentesting Squid
  152. 3260 - Pentesting ISCSI
  153. 3299 - Pentesting SAPRouter
  154. 3306 - Pentesting Mysql
  155. 3389 - Pentesting RDP
  156. 3632 - Pentesting distcc
  157. 3690 - Pentesting Subversion (svn server)
  158. 3702/UDP - Pentesting WS-Discovery
  159. 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
  160. 4786 - Cisco Smart Install
  161. 4840 - OPC Unified Architecture
  162. 5000 - Pentesting Docker Registry
  163. 5353/UDP Multicast DNS (mDNS) and DNS-SD
  164. 5432,5433 - Pentesting Postgresql
  165. 5439 - Pentesting Redshift
  166. 5555 - Android Debug Bridge
  167. 5601 - Pentesting Kibana
  168. 5671,5672 - Pentesting AMQP
  169. 5800,5801,5900,5901 - Pentesting VNC
  170. 5984,6984 - Pentesting CouchDB
  171. 5985,5986 - Pentesting WinRM
  172. 5985,5986 - Pentesting OMI
  173. 6000 - Pentesting X11
  174. 6379 - Pentesting Redis
  175. 8009 - Pentesting Apache JServ Protocol (AJP)
  176. 8086 - Pentesting InfluxDB
  177. 8089 - Pentesting Splunkd
  178. 8333,18333,38333,18444 - Pentesting Bitcoin
  179. 9000 - Pentesting FastCGI
  180. 9001 - Pentesting HSQLDB
  181. 9042/9160 - Pentesting Cassandra
  182. 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
  183. 9200 - Pentesting Elasticsearch
  184. 10000 - Pentesting Network Data Management Protocol (ndmp)
  185. 11211 - Pentesting Memcache
    1. Memcache Commands
  187. 15672 - Pentesting RabbitMQ Management
  188. 24007,24008,24009,49152 - Pentesting GlusterFS
  189. 27017,27018 - Pentesting MongoDB
  190. 32100 Udp - Pentesting Pppp Cs2 P2p Cameras
  191. 44134 - Pentesting Tiller (Helm)
  192. 44818/UDP/TCP - Pentesting EthernetIP
  193. 47808/udp - Pentesting BACNet
  194. 50030,50060,50070,50075,50090 - Pentesting Hadoop
  196. 🕸️ Pentesting Web
  197. Less Code Injection Ssrf
  198. Web Vulnerabilities Methodology
  199. Reflecting Techniques - PoCs and Polygloths CheatSheet
    1. Web Vulns List
  201. 2FA/MFA/OTP Bypass
  202. Account Takeover
  203. Browser Extension Pentesting Methodology
    1. BrowExt - ClickJacking
    2. BrowExt - permissions & host_permissions
    3. BrowExt - XSS Example
    4. Forced Extension Load Preferences Mac Forgery Windows
  205. Bypass Payment Process
  206. Captcha Bypass
  207. Cache Poisoning and Cache Deception
    1. Cache Poisoning via URL discrepancies
    2. Cache Poisoning to DoS
  209. Clickjacking
  210. Client Side Template Injection (CSTI)
  211. Client Side Path Traversal
  212. Command Injection
  213. Content Security Policy (CSP) Bypass
    1. CSP bypass: self + 'unsafe-inline' with Iframes
  215. Cookies Hacking
    1. Cookie Tossing
    2. Cookie Jar Overflow
    3. Cookie Bomb
  217. CORS - Misconfigurations & Bypass
  218. CRLF (%0D%0A) Injection
  219. CSRF (Cross Site Request Forgery)
  220. Dangling Markup - HTML scriptless injection
    1. SS-Leaks
  222. DApps - Decentralized Applications
  223. Dependency Confusion
  224. Deserialization
    1. NodeJS - __proto__ & prototype Pollution
      1. Client Side Prototype Pollution
      2. Express Prototype Pollution Gadgets
      3. Prototype Pollution to RCE
    3. Java JSF ViewState (.faces) Deserialization
    4. Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
    5. Basic Java Deserialization (ObjectInputStream, readObject)
    6. Java Signedobject Gated Deserialization
    7. PHP - Deserialization + Autoload Classes
    8. CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
    9. Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
    10. Exploiting __VIEWSTATE knowing the secrets
    11. Exploiting __VIEWSTATE without knowing the secrets
    12. Python Yaml Deserialization
    13. JNDI - Java Naming and Directory Interface & Log4Shell
    14. Ruby Json Pollution
    15. Ruby Class Pollution
  226. Domain/Subdomain takeover
  227. Email Injections
  228. File Inclusion/Path traversal
    1. phar:// deserialization
    2. LFI2RCE via PHP Filters
    3. LFI2RCE via Nginx temp files
    4. LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
    5. LFI2RCE via Segmentation Fault
    6. LFI2RCE via phpinfo()
    7. LFI2RCE Via temp file uploads
    8. LFI2RCE via Eternal waiting
    9. LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
  230. File Upload
    1. PDF Upload - XXE and CORS bypass
  232. Formula/CSV/Doc/LaTeX/GhostScript Injection
  233. gRPC-Web Pentest
  234. HTTP Connection Contamination
  235. HTTP Connection Request Smuggling
  236. HTTP Request Smuggling / HTTP Desync Attack
    1. Browser HTTP Request Smuggling
    2. Request Smuggling in HTTP/2 Downgrades
  238. HTTP Response Smuggling / Desync
  239. Upgrade Header Smuggling
  240. hop-by-hop headers
  241. IDOR
  242. JWT Vulnerabilities (Json Web Tokens)
  243. JSON, XML and YAML Hacking
  244. LDAP Injection
  245. Login Bypass
    1. Login bypass List
  247. NoSQL injection
  248. OAuth to Account takeover
  249. Open Redirect
  250. ORM Injection
  251. Parameter Pollution | JSON Injection
  252. Phone Number Injections
  253. PostMessage Vulnerabilities
    1. Blocking main page to steal postmessage
    2. Bypassing SOP with Iframes - 1
    3. Bypassing SOP with Iframes - 2
    4. Steal postmessage modifying iframe location
  255. Proxy / WAF Protections Bypass
  256. Race Condition
  257. Rate Limit Bypass
  258. Registration & Takeover Vulnerabilities
  259. Regular expression Denial of Service - ReDoS
  260. Reset/Forgotten Password Bypass
  261. Reverse Tab Nabbing
  262. RSQL Injection
  263. SAML Attacks
    1. SAML Basics
  265. Server Side Inclusion/Edge Side Inclusion Injection
  266. SQL Injection
    1. MS Access SQL Injection
    2. MSSQL Injection
    3. MySQL injection
      1. MySQL File priv to SSRF/RCE
    5. Oracle injection
    6. Cypher Injection (neo4j)
    7. Sqlmap
    8. PostgreSQL injection
      1. dblink/lo_import data exfiltration
      2. PL/pgSQL Password Bruteforce
      3. Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
      4. Big Binary Files Upload (PostgreSQL)
      5. RCE with PostgreSQL Languages
      6. RCE with PostgreSQL Extensions
    10. SQLMap - CheatSheet
      1. Second Order Injection - SQLMap
  268. SSRF (Server Side Request Forgery)
    1. URL Format Bypass
    2. SSRF Vulnerable Platforms
    3. Cloud SSRF
  270. SSTI (Server Side Template Injection)
    1. EL - Expression Language
    2. Jinja2 SSTI
  272. Timing Attacks
  273. Unicode Injection
    1. Unicode Normalization
  275. UUID Insecurities
  276. WebSocket Attacks
  277. Web Tool - WFuzz
  278. XPATH injection
  279. XS Search
  280. XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
  281. XXE - XEE - XML External Entity
  282. XSS (Cross Site Scripting)
    1. Abusing Service Workers
    2. Chrome Cache to XSS
    3. Debugging Client Side JS
    4. Dom Clobbering
    5. DOM Invader
    6. DOM XSS
    7. Iframes in XSS, CSP and SOP
    8. Integer Overflow
    9. JS Hoisting
    10. Misc JS Tricks & Relevant Info
    11. PDF Injection
    12. Server Side XSS (Dynamic PDF)
    13. Shadow DOM
    14. SOME - Same Origin Method Execution
    15. Sniff Leak
    16. Steal Info JS
    17. Wasm Linear Memory Template Overwrite Xss
    18. XSS in Markdown
  284. XSSI (Cross-Site Script Inclusion)
  285. XS-Search/XS-Leaks
    1. Connection Pool Examples
    2. Connection Pool by Destination Example
    3. Cookie Bomb + Onerror XS Leak
    4. URL Max Length - Client Side
    5. performance.now example
    6. performance.now + Force heavy task
    7. Event Loop Blocking + Lazy images
    8. JavaScript Execution XS Leak
    9. CSS Injection
      1. CSS Injection Code
  287. Iframe Traps
  289. ⛈️ Cloud Security
  290. Pentesting Kubernetes$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/index.html$$
  291. Pentesting Cloud (AWS, GCP, Az...)$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/pentesting-cloud-methodology.html$$
  292. Pentesting CI/CD (Github, Jenkins, Terraform...)$$external:https://cloud.hacktricks.wiki/en/pentesting-ci-cd/pentesting-ci-cd-methodology.html$$
  294. 😎 Hardware/Physical Access
  295. Physical Attacks
  296. Escaping from KIOSKs
  297. Firmware Analysis
    1. Android Mediatek Secure Boot Bl2 Ext Bypass El3
    2. Bootloader testing
    3. Firmware Integrity
  300. 🎯 Binary Exploitation
  301. Basic Stack Binary Exploitation Methodology
    1. ELF Basic Information
    2. Exploiting Tools
      1. PwnTools
  303. Stack Overflow
    1. Pointer Redirecting
    2. Ret2win
      1. Ret2win - arm64
    4. Stack Shellcode
      1. Stack Shellcode - arm64
    6. Stack Pivoting - EBP2Ret - EBP chaining
    7. Uninitialized Variables
    8. ROP & JOP
    9. BROP - Blind Return Oriented Programming
    10. Ret2csu
    11. Ret2dlresolve
    12. Ret2esp / Ret2reg
    13. Ret2lib
      1. Leaking libc address with ROP
        1. Leaking libc - template
      3. One Gadget
      4. Ret2lib + Printf leak - arm64
    15. Ret2syscall
      1. Ret2syscall - ARM64
    17. Ret2vDSO
    18. SROP - Sigreturn-Oriented Programming
      1. SROP - ARM64
    20. Synology Encrypted Archive Decryption
    21. Windows Seh Overflow
  305. Array Indexing
  306. Chrome Exploiting
  307. Integer Overflow
  308. Format Strings
    1. Format Strings - Arbitrary Read Example
    2. Format Strings Template
  310. Libc Heap
    1. Bins & Memory Allocations
    2. Heap Memory Functions
      1. free
      2. malloc & sysmalloc
      3. unlink
      4. Heap Functions Security Checks
    4. Use After Free
      1. First Fit
    6. Double Free
    7. Overwriting a freed chunk
    8. Heap Overflow
    9. Unlink Attack
    10. Fast Bin Attack
    11. Unsorted Bin Attack
    12. Large Bin Attack
    13. Tcache Bin Attack
    14. Off by one overflow
    15. House of Spirit
    16. House of Lore | Small bin Attack
    17. House of Einherjar
    18. House of Force
    19. House of Orange
    20. House of Rabbit
    21. House of Roman
  312. Common Binary Exploitation Protections & Bypasses
    1. ASLR
      1. Ret2plt
      2. Ret2ret & Reo2pop
    3. CET & Shadow Stack
    4. Libc Protections
    5. Memory Tagging Extension (MTE)
    6. No-exec / NX
    7. PIE
      1. BF Addresses in the Stack
    9. Relro
    10. Stack Canaries
      1. BF Forked & Threaded Stack Canaries
      2. Print Stack Canary
  314. Write What Where 2 Exec
    1. Aw2exec Sips Icc Profile
    2. WWW2Exec - atexit()
    3. WWW2Exec - .dtors & .fini_array
    4. WWW2Exec - GOT/PLT
    5. WWW2Exec - __malloc_hook & __free_hook
  316. Common Exploiting Problems
  317. Linux kernel exploitation - toctou
  318. PS5 compromission
  319. Windows Exploiting (Basic Guide - OSCP lvl)
  320. iOS Exploiting
    1. ios CVE-2020-27950-mach_msg_trailer_t
    2. ios CVE-2021-30807-IOMobileFrameBuffer
    3. Imessage Media Parser Zero Click Coreaudio Pac Bypass
    4. ios Corellium
    5. ios Heap Exploitation
    6. ios Physical UAF - IOSurface
  323. 🤖 AI
  324. AI Security
    1. Ai Assisted Fuzzing And Vulnerability Discovery
    2. AI Security Methodology
    3. AI MCP Security
    4. AI Model Data Preparation
    5. AI Models RCE
    6. AI Prompts
    7. AI Risk Frameworks
    8. AI Supervised Learning Algorithms
    9. AI Unsupervised Learning Algorithms
    10. AI Reinforcement Learning Algorithms
    11. LLM Training
      1. 0. Basic LLM Concepts
      2. 1. Tokenizing
      3. 2. Data Sampling
      4. 3. Token Embeddings
      5. 4. Attention Mechanisms
      6. 5. LLM Architecture
      7. 6. Pre-training & Loading models
      8. 7.0. LoRA Improvements in fine-tuning
      9. 7.1. Fine-Tuning for Classification
      10. 7.2. Fine-Tuning to follow instructions
  327. 🔩 Reversing
  328. Reversing Tools & Basic Methods
    1. Angr
      1. Angr - Examples
    3. Z3 - Satisfiability Modulo Theories (SMT)
    4. Cheat Engine
    5. Blobrunner
  330. Common API used in Malware
  331. Word Macros
  333. 🔮 Crypto & Stego
  334. Cryptographic/Compression Algorithms
    1. Unpacking binaries
  336. Certificates
  337. Cipher Block Chaining CBC-MAC
  338. Crypto CTFs Tricks
  339. Electronic Code Book (ECB)
  340. Hash Length Extension Attack
  341. Padding Oracle
  342. RC4 - Encrypt&Decrypt
  343. Stego Tricks
  344. Esoteric languages
  346. ✍️ TODO
  347. Interesting Http
  348. Rust Basics
  349. More Tools
  350. Hardware Hacking
    1. Fault Injection Attacks
    2. I2C
    3. Side Channel Analysis
    4. UART
    5. Radio
    6. JTAG
    7. SPI
  352. Industrial Control Systems Hacking
    1. Modbus Protocol
  354. Radio Hacking
    1. Maxiprox Mobile Cloner
    2. Pentesting RFID
    3. Infrared
    4. Sub-GHz RF
    5. iButton
    6. Flipper Zero
      1. FZ - NFC
      2. FZ - Sub-GHz
      3. FZ - Infrared
      4. FZ - iButton
      5. FZ - 125kHz RFID
    8. Proxmark 3
    9. FISSURE - The RF Framework
    10. Low-Power Wide Area Network
    11. Pentesting BLE - Bluetooth Low Energy
  356. Test LLMs
  357. Burp Suite
  358. Other Web Tricks
  359. Interesting HTTP$$external:todo/interesting-http.md$$
  360. Android Forensics
  361. Online Platforms with API
  362. Stealing Sensitive Information Disclosure from a Web
  363. Post Exploitation
  364. Investment Terms
  365. Cookies Policy