1. 👾 Welcome!
  2. HackTricks
  3. HackTricks Values & FAQ
  4. About the author
  5. 🤩 Generic Methodologies & Resources
  6. Pentesting Methodology
  7. External Recon Methodology
    1. Wide Source Code Search
    2. Github Dorks & Leaks
  8. Pentesting Network
    1. DHCPv6
    2. EIGRP Attacks
    3. GLBP & HSRP Attacks
    4. IDS and IPS Evasion
    5. Lateral VLAN Segmentation Bypass
    6. Network Protocols Explained (ESP)
    7. Nmap Summary (ESP)
    8. Pentesting IPv6
    9. WebRTC DoS
    10. Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
    11. Spoofing SSDP and UPnP Devices with EvilSSDP
  9. Pentesting Wifi
    1. Enable Nexmon Monitor And Injection On Android
    2. Evil Twin EAP-TLS
  10. Phishing Methodology
    1. Clipboard Hijacking
    2. Clone a Website
    3. Detecting Phishing
    4. Discord Invite Hijacking
    5. Phishing Files & Documents
  11. Basic Forensic Methodology
    1. Baseline Monitoring
    2. Anti-Forensic Techniques
    3. Docker Forensics
    4. Image Acquisition & Mount
    5. Linux Forensics
    6. Malware Analysis
    7. Memory dump analysis
      1. Volatility - CheatSheet
    8. Partitions/File Systems/Carving
      1. File/Data Carving & Recovery Tools
    9. Pcap Inspection
      1. DNSCat pcap analysis
      2. Suricata & Iptables cheatsheet
      3. USB Keystrokes
      4. Wifi Pcap Analysis
      5. Wireshark tricks
    10. Specific Software/File-Type Tricks
      1. Decompile compiled python binaries (exe, elf) - Retreive from .pyc
      2. Browser Artifacts
      3. Deofuscation vbs (cscript.exe)
      4. Local Cloud Storage
      5. Office file analysis
      6. PDF File analysis
      7. PNG tricks
      8. Video and Audio file analysis
      9. ZIPs tricks
    11. Windows Artifacts
      1. Interesting Windows Registry Keys
  12. Python Sandbox Escape & Pyscript
    1. Bypass Python sandboxes
      1. LOAD_NAME / LOAD_CONST opcode OOB Read
    2. Class Pollution (Python's Prototype Pollution)
    3. Python Internal Read Gadgets
    4. Pyscript
    5. venv
    6. Web Requests
    7. Bruteforce hash (few chars)
    8. Basic Python
  13. Threat Modeling
  14. 🧙‍♂️ Generic Hacking
  15. Brute Force - CheatSheet
  16. Esim Javacard Exploitation
  17. Exfiltration
  18. Reverse Shells (Linux, Windows, MSFVenom)
    1. MSFVenom - CheatSheet
    2. Reverse Shells - Windows
    3. Reverse Shells - Linux
    4. Expose local to the internet
    5. Full TTYs
  19. Search Exploits
  20. Tunneling and Port Forwarding
  21. 🐧 Linux Hardening
  22. Checklist - Linux Privilege Escalation
  23. Linux Privilege Escalation
    1. Arbitrary File Write to Root
    2. Cisco - vmanage
    3. Containerd (ctr) Privilege Escalation
    4. D-Bus Enumeration & Command Injection Privilege Escalation
    5. Docker Security
      1. Abusing Docker Socket for Privilege Escalation
      2. AppArmor
      3. AuthZ& AuthN - Docker Access Authorization Plugin
      4. CGroups
      5. Docker --privileged
      6. Docker Breakout / Privilege Escalation
        1. release_agent exploit - Relative Paths to PIDs
        2. Docker release_agent cgroups escape
        3. Sensitive Mounts
      7. Namespaces
        1. CGroup Namespace
        2. IPC Namespace
        3. PID Namespace
        4. Mount Namespace
        5. Network Namespace
        6. Time Namespace
        7. User Namespace
        8. UTS Namespace
      8. Seccomp
      9. Weaponizing Distroless
    6. Escaping from Jails
    7. euid, ruid, suid
    8. Interesting Groups - Linux Privesc
      1. lxd/lxc Group - Privilege escalation
    9. Logstash
    10. ld.so privesc exploit example
    11. Linux Active Directory
    12. Linux Capabilities
    13. NFS no_root_squash/no_all_squash misconfiguration PE
    14. Node inspector/CEF debug abuse
    15. Payloads to execute
    16. RunC Privilege Escalation
    17. SELinux
    18. Socket Command Injection
    19. Splunk LPE and Persistence
    20. SSH Forward Agent exploitation
    21. Wildcards Spare tricks
  24. Useful Linux Commands
  25. Bypass Linux Restrictions
    1. Bypass FS protections: read-only / no-exec / Distroless
      1. DDexec / EverythingExec
  26. Linux Environment Variables
  27. Linux Post-Exploitation
    1. PAM - Pluggable Authentication Modules
  28. FreeIPA Pentesting
  29. 🍏 MacOS Hardening
  30. macOS Security & Privilege Escalation
    1. macOS Apps - Inspecting, debugging and Fuzzing
      1. Objects in memory
      2. Introduction to x64
      3. Introduction to ARM64v8
    2. macOS AppleFS
    3. macOS Bypassing Firewalls
    4. macOS Defensive Apps
    5. Macos Dyld Hijacking And Dyld Insert Libraries
    6. macOS GCD - Grand Central Dispatch
    7. macOS Kernel & System Extensions
      1. macOS IOKit
      2. macOS Kernel Extensions & Debugging
      3. macOS Kernel Vulnerabilities
      4. macOS System Extensions
    8. macOS Network Services & Protocols
    9. macOS File Extension & URL scheme app handlers
    10. macOS Files, Folders, Binaries & Memory
      1. macOS Bundles
      2. macOS Installers Abuse
      3. macOS Memory Dumping
      4. macOS Sensitive Locations & Interesting Daemons
      5. macOS Universal binaries & Mach-O Format
    11. macOS Objective-C
    12. macOS Privilege Escalation
    13. macOS Process Abuse
      1. macOS Dirty NIB
      2. macOS Chromium Injection
      3. macOS Electron Applications Injection
      4. macOS Function Hooking
      5. macOS IPC - Inter Process Communication
        1. macOS MIG - Mach Interface Generator
        2. macOS XPC
          1. macOS XPC Authorization
          2. macOS XPC Connecting Process Check
            1. macOS PID Reuse
            2. macOS xpc_connection_get_audit_token Attack
        3. macOS Thread Injection via Task port
      6. macOS Java Applications Injection
      7. macOS Library Injection
        1. macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
        2. macOS Dyld Process
      8. macOS Perl Applications Injection
      9. macOS Python Applications Injection
      10. macOS Ruby Applications Injection
      11. macOS .Net Applications Injection
    14. macOS Security Protections
      1. macOS Gatekeeper / Quarantine / XProtect
      2. macOS Launch/Environment Constraints & Trust Cache
      3. macOS Sandbox
        1. macOS Default Sandbox Debug
        2. macOS Sandbox Debug & Bypass
          1. macOS Office Sandbox Bypasses
      4. macOS Authorizations DB & Authd
      5. macOS SIP
      6. macOS TCC
        1. macOS Apple Events
        2. macOS TCC Bypasses
          1. macOS Apple Scripts
        3. macOS TCC Payloads
      7. macOS Dangerous Entitlements & TCC perms
      8. macOS - AMFI - AppleMobileFileIntegrity
      9. macOS MACF - Mandatory Access Control Framework
      10. macOS Code Signing
      11. macOS FS Tricks
        1. macOS xattr-acls extra stuff
    15. macOS Users & External Accounts
  31. macOS Red Teaming
    1. macOS MDM
      1. Enrolling Devices in Other Organisations
      2. macOS Serial Number
    2. macOS Keychain
  32. macOS Useful Commands
  33. macOS Auto Start
  34. 🪟 Windows Hardening
  35. Authentication Credentials Uac And Efs
  36. Checklist - Local Windows Privilege Escalation
  37. Windows Local Privilege Escalation
    1. Dll Hijacking
    2. Abusing Tokens
    3. Access Tokens
    4. ACLs - DACLs/SACLs/ACEs
    5. AppendData/AddSubdirectory permission over service registry
    6. Create MSI with WIX
    7. COM Hijacking
    8. Dll Hijacking
      1. Writable Sys Path +Dll Hijacking Privesc
    9. DPAPI - Extracting Passwords
    10. From High Integrity to SYSTEM with Name Pipes
    11. Integrity Levels
    12. JuicyPotato
    13. Leaked Handle Exploitation
    14. MSI Wrapper
    15. Named Pipe Client Impersonation
    16. Privilege Escalation with Autoruns
    17. RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
    18. SeDebug + SeImpersonate copy token
    19. SeImpersonate from High To System
    20. Windows C Payloads
  38. Active Directory Methodology
    1. Abusing Active Directory ACLs/ACEs
      1. BadSuccessor
      2. Shadow Credentials
    2. AD Certificates
      1. AD CS Account Persistence
      2. AD CS Domain Escalation
      3. AD CS Domain Persistence
      4. AD CS Certificate Theft
    3. Ad Certificates
    4. AD information in printers
    5. AD DNS Records
    6. ASREPRoast
    7. BloodHound & Other AD Enum Tools
    8. Constrained Delegation
    9. Custom SSP
    10. DCShadow
    11. DCSync
    12. Diamond Ticket
    13. DSRM Credentials
    14. External Forest Domain - OneWay (Inbound) or bidirectional
    15. External Forest Domain - One-Way (Outbound)
    16. Golden Ticket
    17. Kerberoast
    18. Kerberos Authentication
    19. Kerberos Double Hop Problem
    20. LAPS
    21. MSSQL AD Abuse
    22. Over Pass the Hash/Pass the Key
    23. Pass the Ticket
    24. Password Spraying / Brute Force
    25. PrintNightmare
    26. Force NTLM Privileged Authentication
    27. Privileged Groups
    28. RDP Sessions Abuse
    29. Resource-based Constrained Delegation
    30. Security Descriptors
    31. SID-History Injection
    32. Silver Ticket
    33. Skeleton Key
    34. Timeroasting
    35. Unconstrained Delegation
  39. Windows Security Controls
    1. UAC - User Account Control
  40. NTLM
    1. Places to steal NTLM creds
  41. Lateral Movement
    1. AtExec / SchtasksExec
    2. DCOM Exec
    3. PsExec/Winexec/ScExec
    4. RDPexec
    5. SCMexec
    6. WinRM
    7. WmiExec
  42. Pivoting to the Cloud$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/index.html$$
  43. Stealing Windows Credentials
    1. Windows Credentials Protections
    2. Mimikatz
    3. WTS Impersonator
  44. Basic Win CMD for Pentesters
  45. Basic PowerShell for Pentesters
    1. PowerView/SharpView
  46. Antivirus (AV) Bypass
  47. Cobalt Strike
  48. Mythic
  49. 📱 Mobile Pentesting
  50. Android APK Checklist
  51. Android Applications Pentesting
    1. Android Applications Basics
    2. Android Task Hijacking
    3. ADB Commands
    4. APK decompilers
    5. AVD - Android Virtual Device
    6. Bypass Biometric Authentication (Android)
    7. content:// protocol
    8. Drozer Tutorial
      1. Exploiting Content Providers
    9. Exploiting a debuggeable application
    10. Flutter
    11. Frida Tutorial
      1. Frida Tutorial 1
      2. Frida Tutorial 2
      3. Frida Tutorial 3
      4. Objection Tutorial
    12. Google CTF 2018 - Shall We Play a Game?
    13. Install Burp Certificate
    14. Intent Injection
    15. Make APK Accept CA Certificate
    16. Manual DeObfuscation
    17. React Native Application
    18. Reversing Native Libraries
    19. Shizuku Privileged Api
    20. Smali - Decompiling, Modifying, Compiling
    21. Spoofing your location in Play Store
    22. Tapjacking
    23. Webview Attacks
  52. iOS Pentesting Checklist
  53. iOS Pentesting
    1. iOS App Extensions
    2. iOS Basics
    3. iOS Basic Testing Operations
    4. iOS Burp Suite Configuration
    5. iOS Custom URI Handlers / Deeplinks / Custom Schemes
    6. iOS Extracting Entitlements From Compiled Application
    7. iOS Frida Configuration
    8. iOS Hooking With Objection
    9. iOS Pentesting withuot Jailbreak
    10. iOS Protocol Handlers
    11. iOS Serialisation and Encoding
    12. iOS Testing Environment
    13. iOS UIActivity Sharing
    14. iOS Universal Links
    15. iOS UIPasteboard
    16. iOS WebViews
  54. Cordova Apps
  55. Xamarin Apps
  56. 👽 Network Services Pentesting
  57. Pentesting JDWP - Java Debug Wire Protocol
  58. Pentesting Printers$$external:http://hacking-printers.net/wiki/index.php/Main_Page$$
  59. Pentesting SAP
  60. Pentesting VoIP
    1. Basic VoIP Protocols
      1. SIP (Session Initiation Protocol)
  61. Pentesting Remote GdbServer
  62. 7/tcp/udp - Pentesting Echo
  63. 21 - Pentesting FTP
    1. FTP Bounce attack - Scan
    2. FTP Bounce - Download 2ºFTP file
  64. 22 - Pentesting SSH/SFTP
  65. 23 - Pentesting Telnet
  66. 25,465,587 - Pentesting SMTP/s
    1. SMTP Smuggling
    2. SMTP - Commands
  67. 43 - Pentesting WHOIS
  68. 49 - Pentesting TACACS+
  69. 53 - Pentesting DNS
  70. 69/UDP TFTP/Bittorrent-tracker
  71. 79 - Pentesting Finger
  72. 80,443 - Pentesting Web Methodology
    1. 403 & 401 Bypasses
    2. AEM - Adobe Experience Cloud
    3. Angular
    4. Apache
    5. Artifactory Hacking guide
    6. Bolt CMS
    7. Buckets
      1. Firebase Database
    8. CGI
    9. Django
    10. DotNetNuke (DNN)
    11. Drupal
      1. Drupal RCE
    12. Electron Desktop Apps
      1. Electron contextIsolation RCE via preload code
      2. Electron contextIsolation RCE via Electron internal code
      3. Electron contextIsolation RCE via IPC
    13. Flask
    14. Git
    15. Golang
    16. Grafana
    17. GraphQL
    18. H2 - Java SQL database
    19. IIS - Internet Information Services
    20. ImageMagick Security
    21. JBOSS
    22. Jira & Confluence
    23. Joomla
    24. JSP
    25. Laravel
    26. Moodle
    27. NextJS
    28. Nginx
    29. NodeJS Express
    30. PHP Tricks
      1. PHP - Useful Functions & disable_functions/open_basedir bypass
        1. disable_functions bypass - php-fpm/FastCGI
        2. disable_functions bypass - dl function
        3. disable_functions bypass - PHP 7.0-7.4 (-nix only)
        4. disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
        5. disable_functions - PHP 5.x Shellshock Exploit
        6. disable_functions - PHP 5.2.4 ionCube extension Exploit
        7. disable_functions bypass - PHP <= 5.2.9 on windows
        8. disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
        9. disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
        10. disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
        11. disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
        12. disable_functions bypass - PHP 5.2 - FOpen Exploit
        13. disable_functions bypass - via mem
        14. disable_functions bypass - mod_cgi
        15. disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
      2. Php Rce Abusing Object Creation New Usd Get A Usd Get B
      3. PHP SSRF
    31. PrestaShop
    32. Python
    33. Rocket Chat
    34. Ruby Tricks
    35. Special HTTP headers$$external:network-services-pentesting/pentesting-web/special-http-headers.md$$
    36. Source code Review / SAST Tools
    37. Special Http Headers
    38. Spring Actuators
    39. Symfony
    40. Tomcat
    41. Uncovering CloudFlare
    42. Vuejs
    43. VMWare (ESX, VCenter...)
    44. Web API Pentesting
    45. WebDav
    46. Werkzeug / Flask Debug
    47. Wordpress
  73. 88tcp/udp - Pentesting Kerberos
    1. Harvesting tickets from Windows
    2. Harvesting tickets from Linux
  74. 110,995 - Pentesting POP
  75. 111/TCP/UDP - Pentesting Portmapper
  76. 113 - Pentesting Ident
  77. 123/udp - Pentesting NTP
  78. 135, 593 - Pentesting MSRPC
  79. 137,138,139 - Pentesting NetBios
  80. 139,445 - Pentesting SMB
    1. rpcclient enumeration
  81. 143,993 - Pentesting IMAP
  82. 161,162,10161,10162/udp - Pentesting SNMP
    1. Cisco SNMP
    2. SNMP RCE
  83. 194,6667,6660-7000 - Pentesting IRC
  84. 264 - Pentesting Check Point FireWall-1
  85. 389, 636, 3268, 3269 - Pentesting LDAP
  86. 500/udp - Pentesting IPsec/IKE VPN
  87. 502 - Pentesting Modbus
  88. 512 - Pentesting Rexec
  89. 513 - Pentesting Rlogin
  90. 514 - Pentesting Rsh
  91. 515 - Pentesting Line Printer Daemon (LPD)
  92. 548 - Pentesting Apple Filing Protocol (AFP)
  93. 554,8554 - Pentesting RTSP
  94. 623/UDP/TCP - IPMI
  95. 631 - Internet Printing Protocol(IPP)
  96. 700 - Pentesting EPP
  97. 873 - Pentesting Rsync
  98. 1026 - Pentesting Rusersd
  99. 1080 - Pentesting Socks
  100. 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
  101. 1414 - Pentesting IBM MQ
  102. 1433 - Pentesting MSSQL - Microsoft SQL Server
    1. Types of MSSQL Users
  103. 1521,1522-1529 - Pentesting Oracle TNS Listener
  104. 1723 - Pentesting PPTP
  105. 1883 - Pentesting MQTT (Mosquitto)
  106. 2049 - Pentesting NFS Service
  107. 2301,2381 - Pentesting Compaq/HP Insight Manager
  108. 2375, 2376 Pentesting Docker
  109. 3128 - Pentesting Squid
  110. 3260 - Pentesting ISCSI
  111. 3299 - Pentesting SAPRouter
  112. 3306 - Pentesting Mysql
  113. 3389 - Pentesting RDP
  114. 3632 - Pentesting distcc
  115. 3690 - Pentesting Subversion (svn server)
  116. 3702/UDP - Pentesting WS-Discovery
  117. 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
  118. 4786 - Cisco Smart Install
  119. 4840 - OPC Unified Architecture
  120. 5000 - Pentesting Docker Registry
  121. 5353/UDP Multicast DNS (mDNS) and DNS-SD
  122. 5432,5433 - Pentesting Postgresql
  123. 5439 - Pentesting Redshift
  124. 5555 - Android Debug Bridge
  125. 5601 - Pentesting Kibana
  126. 5671,5672 - Pentesting AMQP
  127. 5800,5801,5900,5901 - Pentesting VNC
  128. 5984,6984 - Pentesting CouchDB
  129. 5985,5986 - Pentesting WinRM
  130. 5985,5986 - Pentesting OMI
  131. 6000 - Pentesting X11
  132. 6379 - Pentesting Redis
  133. 8009 - Pentesting Apache JServ Protocol (AJP)
  134. 8086 - Pentesting InfluxDB
  135. 8089 - Pentesting Splunkd
  136. 8333,18333,38333,18444 - Pentesting Bitcoin
  137. 9000 - Pentesting FastCGI
  138. 9001 - Pentesting HSQLDB
  139. 9042/9160 - Pentesting Cassandra
  140. 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
  141. 9200 - Pentesting Elasticsearch
  142. 10000 - Pentesting Network Data Management Protocol (ndmp)
  143. 11211 - Pentesting Memcache
    1. Memcache Commands
  144. 15672 - Pentesting RabbitMQ Management
  145. 24007,24008,24009,49152 - Pentesting GlusterFS
  146. 27017,27018 - Pentesting MongoDB
  147. 44134 - Pentesting Tiller (Helm)
  148. 44818/UDP/TCP - Pentesting EthernetIP
  149. 47808/udp - Pentesting BACNet
  150. 50030,50060,50070,50075,50090 - Pentesting Hadoop
  151. 🕸️ Pentesting Web
  152. Less Code Injection Ssrf
  153. Web Vulnerabilities Methodology
  154. Reflecting Techniques - PoCs and Polygloths CheatSheet
    1. Web Vulns List
  155. 2FA/MFA/OTP Bypass
  156. Account Takeover
  157. Browser Extension Pentesting Methodology
    1. BrowExt - ClickJacking
    2. BrowExt - permissions & host_permissions
    3. BrowExt - XSS Example
  158. Bypass Payment Process
  159. Captcha Bypass
  160. Cache Poisoning and Cache Deception
    1. Cache Poisoning via URL discrepancies
    2. Cache Poisoning to DoS
  161. Clickjacking
  162. Client Side Template Injection (CSTI)
  163. Client Side Path Traversal
  164. Command Injection
  165. Content Security Policy (CSP) Bypass
    1. CSP bypass: self + 'unsafe-inline' with Iframes
  166. Cookies Hacking
    1. Cookie Tossing
    2. Cookie Jar Overflow
    3. Cookie Bomb
  167. CORS - Misconfigurations & Bypass
  168. CRLF (%0D%0A) Injection
  169. CSRF (Cross Site Request Forgery)
  170. Dangling Markup - HTML scriptless injection
    1. SS-Leaks
  171. DApps - Decentralized Applications
  172. Dependency Confusion
  173. Deserialization
    1. NodeJS - __proto__ & prototype Pollution
      1. Client Side Prototype Pollution
      2. Express Prototype Pollution Gadgets
      3. Prototype Pollution to RCE
    2. Java JSF ViewState (.faces) Deserialization
    3. Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
    4. Basic Java Deserialization (ObjectInputStream, readObject)
    5. PHP - Deserialization + Autoload Classes
    6. CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
    7. Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
    8. Exploiting __VIEWSTATE knowing the secrets
    9. Exploiting __VIEWSTATE without knowing the secrets
    10. Python Yaml Deserialization
    11. JNDI - Java Naming and Directory Interface & Log4Shell
    12. Ruby Json Pollution
    13. Ruby Class Pollution
  174. Domain/Subdomain takeover
  175. Email Injections
  176. File Inclusion/Path traversal
    1. phar:// deserialization
    2. LFI2RCE via PHP Filters
    3. LFI2RCE via Nginx temp files
    4. LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
    5. LFI2RCE via Segmentation Fault
    6. LFI2RCE via phpinfo()
    7. LFI2RCE Via temp file uploads
    8. LFI2RCE via Eternal waiting
    9. LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
  177. File Upload
    1. PDF Upload - XXE and CORS bypass
  178. Formula/CSV/Doc/LaTeX/GhostScript Injection
  179. gRPC-Web Pentest
  180. HTTP Connection Contamination
  181. HTTP Connection Request Smuggling
  182. HTTP Request Smuggling / HTTP Desync Attack
    1. Browser HTTP Request Smuggling
    2. Request Smuggling in HTTP/2 Downgrades
  183. HTTP Response Smuggling / Desync
  184. Upgrade Header Smuggling
  185. hop-by-hop headers
  186. IDOR
  187. JWT Vulnerabilities (Json Web Tokens)
  188. JSON, XML and YAML Hacking
  189. LDAP Injection
  190. Login Bypass
    1. Login bypass List
  191. NoSQL injection
  192. OAuth to Account takeover
  193. Open Redirect
  194. ORM Injection
  195. Parameter Pollution | JSON Injection
  196. Phone Number Injections
  197. PostMessage Vulnerabilities
    1. Blocking main page to steal postmessage
    2. Bypassing SOP with Iframes - 1
    3. Bypassing SOP with Iframes - 2
    4. Steal postmessage modifying iframe location
  198. Proxy / WAF Protections Bypass
  199. Race Condition
  200. Rate Limit Bypass
  201. Registration & Takeover Vulnerabilities
  202. Regular expression Denial of Service - ReDoS
  203. Reset/Forgotten Password Bypass
  204. Reverse Tab Nabbing
  205. RSQL Injection
  206. SAML Attacks
    1. SAML Basics
  207. Server Side Inclusion/Edge Side Inclusion Injection
  208. SQL Injection
    1. MS Access SQL Injection
    2. MSSQL Injection
    3. MySQL injection
      1. MySQL File priv to SSRF/RCE
    4. Oracle injection
    5. Cypher Injection (neo4j)
    6. Sqlmap
    7. PostgreSQL injection
      1. dblink/lo_import data exfiltration
      2. PL/pgSQL Password Bruteforce
      3. Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
      4. Big Binary Files Upload (PostgreSQL)
      5. RCE with PostgreSQL Languages
      6. RCE with PostgreSQL Extensions
    8. SQLMap - CheatSheet
      1. Second Order Injection - SQLMap
  209. SSRF (Server Side Request Forgery)
    1. URL Format Bypass
    2. SSRF Vulnerable Platforms
    3. Cloud SSRF
  210. SSTI (Server Side Template Injection)
    1. EL - Expression Language
    2. Jinja2 SSTI
  211. Timing Attacks
  212. Unicode Injection
    1. Unicode Normalization
  213. UUID Insecurities
  214. WebSocket Attacks
  215. Web Tool - WFuzz
  216. XPATH injection
  217. XS Search
  218. XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
  219. XXE - XEE - XML External Entity
  220. XSS (Cross Site Scripting)
    1. Abusing Service Workers
    2. Chrome Cache to XSS
    3. Debugging Client Side JS
    4. Dom Clobbering
    5. DOM Invader
    6. DOM XSS
    7. Iframes in XSS, CSP and SOP
    8. Integer Overflow
    9. JS Hoisting
    10. Misc JS Tricks & Relevant Info
    11. PDF Injection
    12. Server Side XSS (Dynamic PDF)
    13. Shadow DOM
    14. SOME - Same Origin Method Execution
    15. Sniff Leak
    16. Steal Info JS
    17. XSS in Markdown
  221. XSSI (Cross-Site Script Inclusion)
  222. XS-Search/XS-Leaks
    1. Connection Pool Examples
    2. Connection Pool by Destination Example
    3. Cookie Bomb + Onerror XS Leak
    4. URL Max Length - Client Side
    5. performance.now example
    6. performance.now + Force heavy task
    7. Event Loop Blocking + Lazy images
    8. JavaScript Execution XS Leak
    9. CSS Injection
      1. CSS Injection Code
  223. Iframe Traps
  224. ⛈️ Cloud Security
  225. Pentesting Kubernetes$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/index.html$$
  226. Pentesting Cloud (AWS, GCP, Az...)$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/pentesting-cloud-methodology.html$$
  227. Pentesting CI/CD (Github, Jenkins, Terraform...)$$external:https://cloud.hacktricks.wiki/en/pentesting-ci-cd/pentesting-ci-cd-methodology.html$$
  228. 😎 Hardware/Physical Access
  229. Physical Attacks
  230. Escaping from KIOSKs
  231. Firmware Analysis
    1. Bootloader testing
    2. Firmware Integrity
  232. 🎯 Binary Exploitation
  233. Basic Stack Binary Exploitation Methodology
    1. ELF Basic Information
    2. Exploiting Tools
      1. PwnTools
  234. Stack Overflow
    1. Pointer Redirecting
    2. Ret2win
      1. Ret2win - arm64
    3. Stack Shellcode
      1. Stack Shellcode - arm64
    4. Stack Pivoting - EBP2Ret - EBP chaining
    5. Uninitialized Variables
  235. ROP - Return Oriented Programing
    1. BROP - Blind Return Oriented Programming
    2. Ret2csu
    3. Ret2dlresolve
    4. Ret2esp / Ret2reg
    5. Ret2lib
      1. Leaking libc address with ROP
        1. Leaking libc - template
      2. One Gadget
      3. Ret2lib + Printf leak - arm64
    6. Ret2syscall
      1. Ret2syscall - ARM64
    7. Ret2vDSO
    8. SROP - Sigreturn-Oriented Programming
      1. SROP - ARM64
  236. Array Indexing
  237. Integer Overflow
  238. Format Strings
    1. Format Strings - Arbitrary Read Example
    2. Format Strings Template
  239. Libc Heap
    1. Bins & Memory Allocations
    2. Heap Memory Functions
      1. free
      2. malloc & sysmalloc
      3. unlink
      4. Heap Functions Security Checks
    3. Use After Free
      1. First Fit
    4. Double Free
    5. Overwriting a freed chunk
    6. Heap Overflow
    7. Unlink Attack
    8. Fast Bin Attack
    9. Unsorted Bin Attack
    10. Large Bin Attack
    11. Tcache Bin Attack
    12. Off by one overflow
    13. House of Spirit
    14. House of Lore | Small bin Attack
    15. House of Einherjar
    16. House of Force
    17. House of Orange
    18. House of Rabbit
    19. House of Roman
  240. Common Binary Exploitation Protections & Bypasses
    1. ASLR
      1. Ret2plt
      2. Ret2ret & Reo2pop
    2. CET & Shadow Stack
    3. Libc Protections
    4. Memory Tagging Extension (MTE)
    5. No-exec / NX
    6. PIE
      1. BF Addresses in the Stack
    7. Relro
    8. Stack Canaries
      1. BF Forked & Threaded Stack Canaries
      2. Print Stack Canary
  241. Write What Where 2 Exec
    1. Aw2exec Sips Icc Profile
    2. WWW2Exec - atexit()
    3. WWW2Exec - .dtors & .fini_array
    4. WWW2Exec - GOT/PLT
    5. WWW2Exec - __malloc_hook & __free_hook
  242. Common Exploiting Problems
  243. Windows Exploiting (Basic Guide - OSCP lvl)
  244. iOS Exploiting
  245. 🤖 AI
  246. AI Security
    1. AI Security Methodology
    2. AI MCP Security
    3. AI Model Data Preparation
    4. AI Models RCE
    5. AI Prompts
    6. AI Risk Frameworks
    7. AI Supervised Learning Algorithms
    8. AI Unsupervised Learning Algorithms
    9. AI Reinforcement Learning Algorithms
    10. LLM Training
      1. 0. Basic LLM Concepts
      2. 1. Tokenizing
      3. 2. Data Sampling
      4. 3. Token Embeddings
      5. 4. Attention Mechanisms
      6. 5. LLM Architecture
      7. 6. Pre-training & Loading models
      8. 7.0. LoRA Improvements in fine-tuning
      9. 7.1. Fine-Tuning for Classification
      10. 7.2. Fine-Tuning to follow instructions
  247. 🔩 Reversing
  248. Reversing Tools & Basic Methods
    1. Angr
      1. Angr - Examples
    2. Z3 - Satisfiability Modulo Theories (SMT)
    3. Cheat Engine
    4. Blobrunner
  249. Common API used in Malware
  250. Word Macros
  251. 🔮 Crypto & Stego
  252. Cryptographic/Compression Algorithms
    1. Unpacking binaries
  253. Certificates
  254. Cipher Block Chaining CBC-MAC
  255. Crypto CTFs Tricks
  256. Electronic Code Book (ECB)
  257. Hash Length Extension Attack
  258. Padding Oracle
  259. RC4 - Encrypt&Decrypt
  260. Stego Tricks
  261. Esoteric languages
  262. Blockchain & Crypto Currencies
  263. ✍️ TODO
  264. Interesting Http
  265. Rust Basics
  266. More Tools
  267. MISC
  268. Hardware Hacking
    1. Fault Injection Attacks
    2. I2C
    3. Side Channel Analysis
    4. UART
    5. Radio
    6. JTAG
    7. SPI
  269. Industrial Control Systems Hacking
    1. Modbus Protocol
  270. Radio Hacking
    1. Pentesting RFID
    2. Infrared
    3. Sub-GHz RF
    4. iButton
    5. Flipper Zero
      1. FZ - NFC
      2. FZ - Sub-GHz
      3. FZ - Infrared
      4. FZ - iButton
      5. FZ - 125kHz RFID
    6. Proxmark 3
    7. FISSURE - The RF Framework
    8. Low-Power Wide Area Network
    9. Pentesting BLE - Bluetooth Low Energy
  271. Test LLMs
  272. Burp Suite
  273. Other Web Tricks
  274. Interesting HTTP$$external:todo/interesting-http.md$$
  275. Android Forensics
  276. Online Platforms with API
  277. Stealing Sensitive Information Disclosure from a Web
  278. Post Exploitation
  279. Investment Terms
  280. Cookies Policy
    1. Readme
    2. Readme
    3. Readme
    4. Readme
    5. Readme
    6. Readme
    7. Readme