2. 👾 Welcome!
  3. HackTricks
  4. HackTricks Values & FAQ
  5. About the author
  7. 🤩 Generic Methodologies & Resources
  8. Pentesting Methodology
  9. External Recon Methodology
    1. Wide Source Code Search
    2. Github Dorks & Leaks
  10. Pentesting Network
    1. DHCPv6
    2. EIGRP Attacks
    3. GLBP & HSRP Attacks
    4. IDS and IPS Evasion
    5. Lateral VLAN Segmentation Bypass
    6. Network Protocols Explained (ESP)
    7. Nmap Summary (ESP)
    8. Pentesting IPv6
    9. Telecom Network Exploitation
    10. WebRTC DoS
    11. Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
    12. Spoofing SSDP and UPnP Devices with EvilSSDP
  11. Pentesting Wifi
    1. Enable Nexmon Monitor And Injection On Android
    2. Evil Twin EAP-TLS
  12. Phishing Methodology
    1. Ai Agent Abuse Local Ai Cli Tools And Mcp
    2. Ai Agent Mode Phishing Abusing Hosted Agent Browsers
    3. Clipboard Hijacking
    4. Clone a Website
    5. Detecting Phishing
    6. Discord Invite Hijacking
    7. Homograph Attacks
    8. Mobile Phishing Malicious Apps
    9. Phishing Files & Documents
  13. Basic Forensic Methodology
    1. Adaptixc2 Config Extraction And Ttps
    2. Baseline Monitoring
    3. Anti-Forensic Techniques
    4. Docker Forensics
    5. Image Acquisition & Mount
    6. Ios Backup Forensics
    7. Linux Forensics
    8. Malware Analysis
    9. Memory dump analysis
      1. Volatility - CheatSheet
    10. Partitions/File Systems/Carving
      1. File/Data Carving & Recovery Tools
    11. Pcap Inspection
      1. DNSCat pcap analysis
      2. Suricata & Iptables cheatsheet
      3. USB Keystrokes
      4. Wifi Pcap Analysis
      5. Wireshark tricks
    12. Specific Software/File-Type Tricks
      1. Decompile compiled python binaries (exe, elf) - Retreive from .pyc
      2. Browser Artifacts
      3. Deofuscation vbs (cscript.exe)
      4. Discord Cache Forensics
      5. Local Cloud Storage
      6. Mach O Entitlements And Ipsw Indexing
      7. Office file analysis
      8. PDF File analysis
      9. PNG tricks
      10. Structural File Format Exploit Detection
      11. Svg Font Glyph Analysis And Web Drm Deobfuscation
      12. Video and Audio file analysis
      13. ZIPs tricks
    13. Windows Artifacts
      1. Interesting Windows Registry Keys
  14. Python Sandbox Escape & Pyscript
    1. Bypass Python sandboxes
      1. LOAD_NAME / LOAD_CONST opcode OOB Read
      2. Reportlab Xhtml2pdf Triple Brackets Expression Evaluation Rce Cve 2023 33733
    2. Class Pollution (Python's Prototype Pollution)
    3. Keras Model Deserialization Rce And Gadget Hunting
    4. Python Internal Read Gadgets
    5. Pyscript
    6. venv
    7. Web Requests
    8. Bruteforce hash (few chars)
    9. Basic Python
  15. Threat Modeling
  16. Blockchain & Crypto
    1. Mutation Testing With Slither
    2. Defi/AMM Hook Precision
  17. Lua Sandbox Escape
  19. 🧙‍♂️ Generic Hacking
  20. Archive Extraction Path Traversal
  21. Brute Force - CheatSheet
  22. Esim Javacard Exploitation
  23. Exfiltration
  24. Reverse Shells (Linux, Windows, MSFVenom)
    1. MSFVenom - CheatSheet
    2. Reverse Shells - Windows
    3. Reverse Shells - Linux
    4. Expose local to the internet
    5. Full TTYs
  25. Search Exploits
  26. Tunneling and Port Forwarding
  28. 🐧 Linux Hardening
  29. Linux Basics
  30. Checklist - Linux Privilege Escalation
  31. Linux Privilege Escalation
    1. Android Rooting Frameworks Manager Auth Bypass Syscall Hook
    2. Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244
    3. Arbitrary File Write to Root
    4. Cisco - vmanage
    5. Containerd (ctr) Privilege Escalation
    6. D-Bus Enumeration & Command Injection Privilege Escalation
    7. Docker Security
      1. Abusing Docker Socket for Privilege Escalation
      2. AppArmor
      3. AuthZ& AuthN - Docker Access Authorization Plugin
      4. CGroups
      5. Docker --privileged
      6. Docker Breakout / Privilege Escalation
        1. release_agent exploit - Relative Paths to PIDs
        2. Docker release_agent cgroups escape
        3. Sensitive Mounts
      7. Namespaces
        1. CGroup Namespace
        2. IPC Namespace
        3. PID Namespace
        4. Mount Namespace
        5. Network Namespace
        6. Time Namespace
        7. User Namespace
        8. UTS Namespace
      8. Seccomp
      9. Weaponizing Distroless
    8. Escaping from Jails
    9. Posix Cpu Timers Toctou Cve 2025 38352
    10. euid, ruid, suid
    11. Interesting Groups - Linux Privesc
      1. lxd/lxc Group - Privilege escalation
    12. Logstash
    13. ld.so privesc exploit example
    14. Linux Active Directory
    15. Linux Capabilities
    16. NFS no_root_squash/no_all_squash misconfiguration PE
    17. Node inspector/CEF debug abuse
    18. Payloads to execute
    19. RunC Privilege Escalation
    20. SELinux
    21. Socket Command Injection
    22. Splunk LPE and Persistence
    23. SSH Forward Agent exploitation
    24. Wildcards Spare tricks
  32. Useful Linux Commands
  33. Bypass Linux Restrictions
    1. Bypass FS protections: read-only / no-exec / Distroless
      1. DDexec / EverythingExec
  34. Linux Environment Variables
  35. Linux Post-Exploitation
    1. PAM - Pluggable Authentication Modules
  36. FreeIPA Pentesting
  38. 🍏 MacOS Hardening
  39. macOS Security & Privilege Escalation
    1. macOS Apps - Inspecting, debugging and Fuzzing
      1. Objects in memory
      2. Introduction to x64
      3. Introduction to ARM64v8
    2. macOS AppleFS
    3. macOS Bypassing Firewalls
    4. macOS Defensive Apps
    5. Macos Dyld Hijacking And Dyld Insert Libraries
    6. macOS GCD - Grand Central Dispatch
    7. macOS Kernel & System Extensions
      1. macOS IOKit
      2. macOS Kernel Extensions & Kernelcache
      3. macOS Kernel Vulnerabilities
      4. macOS System Extensions
    8. macOS Network Services & Protocols
    9. macOS File Extension & URL scheme app handlers
    10. macOS Files, Folders, Binaries & Memory
      1. macOS Bundles
      2. macOS Installers Abuse
      3. macOS Memory Dumping
      4. macOS Sensitive Locations & Interesting Daemons
      5. macOS Universal binaries & Mach-O Format
    11. macOS Objective-C
    12. macOS Privilege Escalation
    13. macOS Process Abuse
      1. macOS Dirty NIB
      2. macOS Chromium Injection
      3. macOS Electron Applications Injection
      4. macOS Function Hooking
      5. macOS IPC - Inter Process Communication
        1. macOS MIG - Mach Interface Generator
        2. macOS XPC
          1. macOS XPC Authorization
          2. macOS XPC Connecting Process Check
            1. macOS PID Reuse
            2. macOS xpc_connection_get_audit_token Attack
        3. macOS Thread Injection via Task port
      6. macOS Java Applications Injection
      7. macOS Library Injection
        1. macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
        2. macOS Dyld Process
      8. macOS Perl Applications Injection
      9. macOS Python Applications Injection
      10. macOS Ruby Applications Injection
      11. macOS .Net Applications Injection
    14. macOS Security Protections
      1. macOS Gatekeeper / Quarantine / XProtect
      2. macOS Launch/Environment Constraints & Trust Cache
      3. macOS Sandbox
        1. macOS Default Sandbox Debug
        2. macOS Sandbox Debug & Bypass
          1. macOS Office Sandbox Bypasses
      4. macOS Authorizations DB & Authd
      5. macOS SIP
      6. macOS TCC
        1. macOS Apple Events
        2. macOS TCC Bypasses
          1. macOS Apple Scripts
        3. macOS TCC Payloads
      7. macOS Dangerous Entitlements & TCC perms
      8. macOS - AMFI - AppleMobileFileIntegrity
      9. macOS MACF - Mandatory Access Control Framework
      10. macOS Code Signing
      11. macOS FS Tricks
        1. macOS xattr-acls extra stuff
    15. macOS Users & External Accounts
  40. macOS Red Teaming
    1. macOS MDM
      1. Enrolling Devices in Other Organisations
      2. macOS Serial Number
    2. macOS Keychain
  41. macOS Useful Commands
  42. macOS Auto Start
  44. 🪟 Windows Hardening
  45. Authentication Credentials Uac And Efs
  46. Checklist - Local Windows Privilege Escalation
  47. Windows Local Privilege Escalation
    1. Abusing Auto Updaters And Ipc
    2. Arbitrary Kernel Rw Token Theft
    3. Abusing Tokens
    4. Access Tokens
    5. ACLs - DACLs/SACLs/ACEs
    6. AppendData/AddSubdirectory permission over service registry
    7. Create MSI with WIX
    8. COM Hijacking
    9. Dll Hijacking
      1. Writable Sys Path +Dll Hijacking Privesc
    10. DPAPI - Extracting Passwords
    11. From High Integrity to SYSTEM with Name Pipes
    12. Integrity Levels
    13. JuicyPotato
    14. Leaked Handle Exploitation
    15. MSI Wrapper
    16. Named Pipe Client Impersonation
    17. Privilege Escalation with Autoruns
    18. RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
    19. SeDebug + SeImpersonate copy token
    20. SeImpersonate from High To System
    21. Semanagevolume Perform Volume Maintenance Tasks
    22. Service Triggers
    23. Windows C Payloads
  48. Active Directory Methodology
    1. Abusing Active Directory ACLs/ACEs
      1. BadSuccessor
      2. Shadow Credentials
    2. AD Certificates
      1. AD CS Account Persistence
      2. AD CS Domain Escalation
      3. AD CS Domain Persistence
      4. AD CS Certificate Theft
    3. Ad Certificates
    4. AD information in printers
    5. AD DNS Records
    6. Adws Enumeration
    7. ASREPRoast
    8. Badsuccessor Dmsa Migration Abuse
    9. BloodHound & Other AD Enum Tools
    10. Constrained Delegation
    11. Custom SSP
    12. DCShadow
    13. DCSync
    14. Diamond Ticket
    15. DSRM Credentials
    16. External Forest Domain - OneWay (Inbound) or bidirectional
    17. External Forest Domain - One-Way (Outbound)
    18. Golden Dmsa Gmsa
    19. Golden Ticket
    20. Kerberoast
    21. Kerberos Authentication
    22. Kerberos Double Hop Problem
    23. Lansweeper Security
    24. LAPS
    25. MSSQL AD Abuse
    26. Over Pass the Hash/Pass the Key
    27. Pass the Ticket
    28. Password Spraying / Brute Force
    29. PrintNightmare
    30. Force NTLM Privileged Authentication
    31. Privileged Groups
    32. RDP Sessions Abuse
    33. Resource-based Constrained Delegation
    34. Sccm Management Point Relay Sql Policy Secrets
    35. Security Descriptors
    36. SID-History Injection
    37. Silver Ticket
    38. Skeleton Key
    39. Timeroasting
    40. Unconstrained Delegation
  49. Windows Security Controls
    1. UAC - User Account Control
  50. NTLM
    1. Places to steal NTLM creds
  51. Lateral Movement
    1. AtExec / SchtasksExec
    2. DCOM Exec
    3. PsExec/Winexec/ScExec
    4. RDPexec
    5. SCMexec
    6. WinRM
    7. WmiExec
  52. Pivoting to the Cloud$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/index.html$$
  53. Stealing Windows Credentials
    1. Windows Credentials Protections
    2. Mimikatz
    3. WTS Impersonator
  54. Basic Win CMD for Pentesters
  55. Basic PowerShell for Pentesters
    1. PowerView/SharpView
  56. Antivirus (AV) Bypass
  57. Cobalt Strike
  58. Mythic
  60. 📱 Mobile Pentesting
  61. Android APK Checklist
  62. Android Applications Pentesting
    1. Accessibility Services Abuse
    2. Android Anti Instrumentation And Ssl Pinning Bypass
    3. Android Applications Basics
    4. Android Hce Nfc Emv Relay Attacks
    5. Android Task Hijacking
    6. ADB Commands
    7. APK decompilers
    8. AVD - Android Virtual Device
    9. Bypass Biometric Authentication (Android)
    10. content:// protocol
    11. Drozer Tutorial
      1. Exploiting Content Providers
    12. Exploiting a debuggeable application
    13. Flutter
    14. Frida Tutorial
      1. Frida Tutorial 1
      2. Frida Tutorial 2
      3. Frida Tutorial 3
      4. Objection Tutorial
    15. Google CTF 2018 - Shall We Play a Game?
    16. In Memory Jni Shellcode Execution
    17. Insecure In App Update Rce
    18. Install Burp Certificate
    19. Intent Injection
    20. Make APK Accept CA Certificate
    21. Manual DeObfuscation
    22. React Native Application
    23. Reversing Native Libraries
    24. Shizuku Privileged Api
    25. Smali - Decompiling, Modifying, Compiling
    26. Spoofing your location in Play Store
    27. Tapjacking
    28. Webview Attacks
  63. iOS Pentesting Checklist
  64. iOS Pentesting
    1. Air Keyboard Remote Input Injection
    2. iOS App Extensions
    3. iOS Basics
    4. iOS Basic Testing Operations
    5. iOS Burp Suite Configuration
    6. iOS Custom URI Handlers / Deeplinks / Custom Schemes
    7. iOS Extracting Entitlements From Compiled Application
    8. iOS Frida Configuration
    9. iOS Hooking With Objection
    10. iOS Pentesting withuot Jailbreak
    11. iOS Protocol Handlers
    12. iOS Serialisation and Encoding
    13. iOS Testing Environment
    14. iOS UIActivity Sharing
    15. iOS Universal Links
    16. iOS UIPasteboard
    17. iOS WebViews
    18. Itunesstored Bookassetd Sandbox Escape
  65. Cordova Apps
  66. Xamarin Apps
  68. 👽 Network Services Pentesting
  69. 4222 Pentesting Nats
  70. Pentesting JDWP - Java Debug Wire Protocol
  71. Pentesting Printers$$external:http://hacking-printers.net/wiki/index.php/Main_Page$$
  72. Pentesting SAP
  73. Pentesting VoIP
    1. Basic VoIP Protocols
      1. SIP (Session Initiation Protocol)
  74. Pentesting Remote GdbServer
  75. 7/tcp/udp - Pentesting Echo
  76. 21 - Pentesting FTP
    1. FTP Bounce attack - Scan
    2. FTP Bounce - Download 2ºFTP file
  77. 22 - Pentesting SSH/SFTP
  78. 23 - Pentesting Telnet
  79. 25,465,587 - Pentesting SMTP/s
    1. SMTP Smuggling
    2. SMTP - Commands
  80. 43 - Pentesting WHOIS
  81. 49 - Pentesting TACACS+
  82. 53 - Pentesting DNS
  83. 69/UDP TFTP/Bittorrent-tracker
  84. 79 - Pentesting Finger
  85. 80,443 - Pentesting Web Methodology
    1. 403 & 401 Bypasses
    2. AEM - Adobe Experience Cloud
    3. Angular
    4. Apache
    5. Artifactory Hacking guide
    6. Bolt CMS
    7. Buckets
      1. Firebase Database
    8. CGI
    9. Django
    10. DotNetNuke (DNN)
    11. Drupal
      1. Drupal RCE
    12. Electron Desktop Apps
      1. Electron contextIsolation RCE via preload code
      2. Electron contextIsolation RCE via Electron internal code
      3. Electron contextIsolation RCE via IPC
    13. Flask
    14. Fortinet Fortiweb
    15. Git
    16. Golang
    17. Grafana
    18. GraphQL
    19. H2 - Java SQL database
    20. IIS - Internet Information Services
    21. ImageMagick Security
    22. Ispconfig
    23. JBOSS
    24. Jira & Confluence
    25. Joomla
    26. JSP
    27. Laravel
    28. Microsoft Sharepoint
    29. Moodle
    30. NextJS
    31. Nginx
    32. NodeJS Express
    33. Sitecore
    34. PHP Tricks
      1. PHP - Useful Functions & disable_functions/open_basedir bypass
        1. disable_functions bypass - php-fpm/FastCGI
        2. disable_functions bypass - dl function
        3. disable_functions bypass - PHP 7.0-7.4 (-nix only)
        4. disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
        5. disable_functions - PHP 5.x Shellshock Exploit
        6. disable_functions - PHP 5.2.4 ionCube extension Exploit
        7. disable_functions bypass - PHP <= 5.2.9 on windows
        8. disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
        9. disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
        10. disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
        11. disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
        12. disable_functions bypass - PHP 5.2 - FOpen Exploit
        13. disable_functions bypass - via mem
        14. disable_functions bypass - mod_cgi
        15. disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
      2. Php Rce Abusing Object Creation New Usd Get A Usd Get B
      3. PHP SSRF
    35. Perl Tricks
    36. PrestaShop
    37. Python
    38. Rocket Chat
    39. Ruby Tricks
    40. Special HTTP headers$$external:network-services-pentesting/pentesting-web/special-http-headers.md$$
    41. Source code Review / SAST Tools
    42. Special Http Headers
    43. Roundcube
    44. Spring Actuators
    45. Symfony
    46. Tomcat
    47. Telerik Ui Aspnet Ajax Unsafe Reflection Webresource Axd
    48. Uncovering CloudFlare
    49. Vuejs
    50. VMWare (ESX, VCenter...)
    51. Web API Pentesting
    52. WebDav
    53. Werkzeug / Flask Debug
    54. Wordpress
  86. 88tcp/udp - Pentesting Kerberos
    1. Harvesting tickets from Windows
    2. Harvesting tickets from Linux
    3. Wsgi
    4. Zabbix
  87. 110,995 - Pentesting POP
  88. 111/TCP/UDP - Pentesting Portmapper
  89. 113 - Pentesting Ident
  90. 123/udp - Pentesting NTP
  91. 135, 593 - Pentesting MSRPC
  92. 137,138,139 - Pentesting NetBios
  93. 139,445 - Pentesting SMB
    1. Ksmbd Attack Surface And Fuzzing Syzkaller
    2. rpcclient enumeration
  94. 143,993 - Pentesting IMAP
  95. 161,162,10161,10162/udp - Pentesting SNMP
    1. Cisco SNMP
    2. SNMP RCE
  96. 194,6667,6660-7000 - Pentesting IRC
  97. 264 - Pentesting Check Point FireWall-1
  98. 389, 636, 3268, 3269 - Pentesting LDAP
  99. 500/udp - Pentesting IPsec/IKE VPN
  100. 502 - Pentesting Modbus
  101. 512 - Pentesting Rexec
  102. 513 - Pentesting Rlogin
  103. 514 - Pentesting Rsh
  104. 515 - Pentesting Line Printer Daemon (LPD)
  105. 548 - Pentesting Apple Filing Protocol (AFP)
  106. 554,8554 - Pentesting RTSP
  107. 623/UDP/TCP - IPMI
  108. 631 - Internet Printing Protocol(IPP)
  109. 700 - Pentesting EPP
  110. 873 - Pentesting Rsync
  111. 1026 - Pentesting Rusersd
  112. 1080 - Pentesting Socks
  113. 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
  114. 1414 - Pentesting IBM MQ
  115. 1433 - Pentesting MSSQL - Microsoft SQL Server
    1. Types of MSSQL Users
  116. 1521,1522-1529 - Pentesting Oracle TNS Listener
  117. 1723 - Pentesting PPTP
  118. 1883 - Pentesting MQTT (Mosquitto)
  119. 2049 - Pentesting NFS Service
  120. 2301,2381 - Pentesting Compaq/HP Insight Manager
  121. 2375, 2376 Pentesting Docker
  122. 3128 - Pentesting Squid
  123. 3260 - Pentesting ISCSI
  124. 3299 - Pentesting SAPRouter
  125. 3306 - Pentesting Mysql
  126. 3389 - Pentesting RDP
  127. 3632 - Pentesting distcc
  128. 3690 - Pentesting Subversion (svn server)
  129. 3702/UDP - Pentesting WS-Discovery
  130. 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
  131. 4786 - Cisco Smart Install
  132. 4840 - OPC Unified Architecture
  133. 5000 - Pentesting Docker Registry
  134. 5353/UDP Multicast DNS (mDNS) and DNS-SD
  135. 5432,5433 - Pentesting Postgresql
  136. 5439 - Pentesting Redshift
  137. 5555 - Android Debug Bridge
  138. 5601 - Pentesting Kibana
  139. 5671,5672 - Pentesting AMQP
  140. 5800,5801,5900,5901 - Pentesting VNC
  141. 5984,6984 - Pentesting CouchDB
  142. 5985,5986 - Pentesting WinRM
  143. 5985,5986 - Pentesting OMI
  144. 6000 - Pentesting X11
  145. 6379 - Pentesting Redis
  146. 8009 - Pentesting Apache JServ Protocol (AJP)
  147. 8086 - Pentesting InfluxDB
  148. 8089 - Pentesting Splunkd
  149. 8333,18333,38333,18444 - Pentesting Bitcoin
  150. 9000 - Pentesting FastCGI
  151. 9001 - Pentesting HSQLDB
  152. 9042/9160 - Pentesting Cassandra
  153. 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
  154. 9200 - Pentesting Elasticsearch
  155. 10000 - Pentesting Network Data Management Protocol (ndmp)
  156. 11211 - Pentesting Memcache
    1. Memcache Commands
  157. 15672 - Pentesting RabbitMQ Management
  158. 24007,24008,24009,49152 - Pentesting GlusterFS
  159. 27017,27018 - Pentesting MongoDB
  160. 32100 Udp - Pentesting Pppp Cs2 P2p Cameras
  161. 44134 - Pentesting Tiller (Helm)
  162. 44818/UDP/TCP - Pentesting EthernetIP
  163. 47808/udp - Pentesting BACNet
  164. 50030,50060,50070,50075,50090 - Pentesting Hadoop
  166. 🕸️ Pentesting Web
  167. Web Vulnerabilities Methodology
  168. Reflecting Techniques - PoCs and Polygloths CheatSheet
    1. Web Vulns List
  169. 2FA/MFA/OTP Bypass
  170. Account Takeover
  171. Browser Extension Pentesting Methodology
    1. BrowExt - ClickJacking
    2. BrowExt - permissions & host_permissions
    3. BrowExt - XSS Example
    4. Forced Extension Load Preferences Mac Forgery Windows
  172. Bypass Payment Process
  173. Captcha Bypass
  174. Cache Poisoning and Cache Deception
    1. Cache Poisoning via URL discrepancies
    2. Cache Poisoning to DoS
  175. Clickjacking
  176. Client Side Template Injection (CSTI)
  177. Client Side Path Traversal
  178. Command Injection
  179. Content Security Policy (CSP) Bypass
    1. CSP bypass: self + 'unsafe-inline' with Iframes
  180. Cookies Hacking
    1. Cookie Tossing
    2. Cookie Jar Overflow
    3. Cookie Bomb
  181. CORS - Misconfigurations & Bypass
  182. CRLF (%0D%0A) Injection
  183. CSRF (Cross Site Request Forgery)
  184. Dangling Markup - HTML scriptless injection
    1. SS-Leaks
  185. DApps - Decentralized Applications
  186. Dependency Confusion
  187. Deserialization
    1. NodeJS - __proto__ & prototype Pollution
      1. Client Side Prototype Pollution
      2. Express Prototype Pollution Gadgets
      3. Prototype Pollution to RCE
    2. Java JSF ViewState (.faces) Deserialization
    3. Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
    4. Basic Java Deserialization (ObjectInputStream, readObject)
    5. Java Signedobject Gated Deserialization
    6. PHP - Deserialization + Autoload Classes
    7. CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
    8. Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
    9. Exploiting __VIEWSTATE knowing the secrets
    10. Exploiting __VIEWSTATE without knowing the secrets
    11. Python Yaml Deserialization
    12. JNDI - Java Naming and Directory Interface & Log4Shell
    13. Ruby Json Pollution
    14. Ruby Class Pollution
  188. Domain/Subdomain takeover
  189. Email Injections
  190. File Inclusion/Path traversal
    1. phar:// deserialization
    2. LFI2RCE via PHP Filters
    3. LFI2RCE via Nginx temp files
    4. LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
    5. LFI2RCE via Segmentation Fault
    6. LFI2RCE via phpinfo()
    7. LFI2RCE Via temp file uploads
    8. LFI2RCE via Eternal waiting
    9. LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
  191. File Upload
    1. PDF Upload - XXE and CORS bypass
  192. Formula/CSV/Doc/LaTeX/GhostScript Injection
  193. gRPC-Web Pentest
  194. HTTP Connection Contamination
  195. HTTP Connection Request Smuggling
  196. HTTP Request Smuggling / HTTP Desync Attack
    1. Browser HTTP Request Smuggling
    2. Request Smuggling in HTTP/2 Downgrades
  197. HTTP Response Smuggling / Desync
  198. Upgrade Header Smuggling
  199. hop-by-hop headers
  200. IDOR
  201. JWT Vulnerabilities (Json Web Tokens)
  202. JSON, XML and YAML Hacking
  203. LDAP Injection
  204. Login Bypass
    1. Login bypass List
  205. Mass Assignment Cwe 915
  206. NoSQL injection
  207. OAuth to Account takeover
  208. Open Redirect
  209. ORM Injection
  210. Parameter Pollution | JSON Injection
  211. Phone Number Injections
  212. PostMessage Vulnerabilities
    1. Blocking main page to steal postmessage
    2. Bypassing SOP with Iframes - 1
    3. Bypassing SOP with Iframes - 2
    4. Steal postmessage modifying iframe location
  213. Proxy / WAF Protections Bypass
  214. Race Condition
  215. Rate Limit Bypass
  216. Registration & Takeover Vulnerabilities
  217. Regular expression Denial of Service - ReDoS
  218. Reset/Forgotten Password Bypass
  219. Reverse Tab Nabbing
  220. RSQL Injection
  221. SAML Attacks
    1. SAML Basics
  222. Server Side Inclusion/Edge Side Inclusion Injection
  223. SQL Injection
    1. MS Access SQL Injection
    2. MSSQL Injection
    3. MySQL injection
      1. MySQL File priv to SSRF/RCE
    4. Oracle injection
    5. Cypher Injection (neo4j)
    6. Sqlmap
    7. PostgreSQL injection
      1. dblink/lo_import data exfiltration
      2. PL/pgSQL Password Bruteforce
      3. Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
      4. Big Binary Files Upload (PostgreSQL)
      5. RCE with PostgreSQL Languages
      6. RCE with PostgreSQL Extensions
    8. SQLMap - CheatSheet
      1. Second Order Injection - SQLMap
  224. SSRF (Server Side Request Forgery)
    1. URL Format Bypass
    2. SSRF Vulnerable Platforms
    3. Cloud SSRF
  225. SSTI (Server Side Template Injection)
    1. EL - Expression Language
    2. Jinja2 SSTI
  226. Timing Attacks
  227. Unicode Injection
    1. Unicode Normalization
  228. UUID Insecurities
  229. WebSocket Attacks
  230. Web Tool - WFuzz
  231. XPATH injection
  232. XS Search
  233. XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
  234. XXE - XEE - XML External Entity
  235. XSS (Cross Site Scripting)
    1. Abusing Service Workers
    2. Chrome Cache to XSS
    3. Debugging Client Side JS
    4. Dom Clobbering
    5. DOM Invader
    6. DOM XSS
    7. Iframes in XSS, CSP and SOP
    8. Integer Overflow
    9. JS Hoisting
    10. Misc JS Tricks & Relevant Info
    11. PDF Injection
    12. Server Side XSS (Dynamic PDF)
    13. Shadow DOM
    14. SOME - Same Origin Method Execution
    15. Sniff Leak
    16. Steal Info JS
    17. Wasm Linear Memory Template Overwrite Xss
    18. XSS in Markdown
  236. XSSI (Cross-Site Script Inclusion)
  237. XS-Search/XS-Leaks
    1. Connection Pool Examples
    2. Connection Pool by Destination Example
    3. Cookie Bomb + Onerror XS Leak
    4. URL Max Length - Client Side
    5. performance.now example
    6. performance.now + Force heavy task
    7. Event Loop Blocking + Lazy images
    8. JavaScript Execution XS Leak
    9. CSS Injection
      1. CSS Injection Code
      2. LESS Code Injection
  238. Iframe Traps
  240. ⛈️ Cloud Security
  241. Pentesting Kubernetes$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/index.html$$
  242. Pentesting Cloud (AWS, GCP, Az...)$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/pentesting-cloud-methodology.html$$
  243. Pentesting CI/CD (Github, Jenkins, Terraform...)$$external:https://cloud.hacktricks.wiki/en/pentesting-ci-cd/pentesting-ci-cd-methodology.html$$
  245. 😎 Hardware/Physical Access
  246. Physical Attacks
  247. Escaping from KIOSKs
  248. Firmware Analysis
    1. Android Mediatek Secure Boot Bl2 Ext Bypass El3
    2. Bootloader testing
    3. Firmware Integrity
  250. 🎯 Binary Exploitation
  251. Basic Stack Binary Exploitation Methodology
    1. ELF Basic Information
    2. Exploiting Tools
      1. PwnTools
  252. Stack Overflow
    1. Pointer Redirecting
    2. Ret2win
      1. Ret2win - arm64
    3. Stack Shellcode
      1. Stack Shellcode - arm64
    4. Stack Pivoting - EBP2Ret - EBP chaining
    5. Uninitialized Variables
    6. ROP & JOP
    7. BROP - Blind Return Oriented Programming
    8. Ret2csu
    9. Ret2dlresolve
    10. Ret2esp / Ret2reg
    11. Ret2lib
      1. Leaking libc address with ROP
        1. Leaking libc - template
      2. One Gadget
      3. Ret2lib + Printf leak - arm64
    12. Ret2syscall
      1. Ret2syscall - ARM64
    13. Ret2vDSO
    14. SROP - Sigreturn-Oriented Programming
      1. SROP - ARM64
    15. Synology Encrypted Archive Decryption
    16. Windows Seh Overflow
  253. Array Indexing
  254. Chrome Exploiting
  255. Integer Overflow
  256. Format Strings
    1. Format Strings - Arbitrary Read Example
    2. Format Strings Template
  257. Libc Heap
    1. Bins & Memory Allocations
    2. Heap Memory Functions
      1. free
      2. malloc & sysmalloc
      3. unlink
      4. Heap Functions Security Checks
    3. Use After Free
      1. First Fit
    4. Double Free
    5. Overwriting a freed chunk
    6. Heap Overflow
    7. Unlink Attack
    8. Fast Bin Attack
    9. Unsorted Bin Attack
    10. Large Bin Attack
    11. Tcache Bin Attack
    12. Off by one overflow
    13. House of Spirit
    14. House of Lore | Small bin Attack
    15. House of Einherjar
    16. House of Force
    17. House of Orange
    18. House of Rabbit
    19. House of Roman
  258. Common Binary Exploitation Protections & Bypasses
    1. ASLR
      1. Ret2plt
      2. Ret2ret & Reo2pop
    2. CET & Shadow Stack
    3. Libc Protections
    4. Memory Tagging Extension (MTE)
    5. No-exec / NX
    6. PIE
      1. BF Addresses in the Stack
    7. Relro
    8. Stack Canaries
      1. BF Forked & Threaded Stack Canaries
      2. Print Stack Canary
  259. Write What Where 2 Exec
    1. Aw2exec Sips Icc Profile
    2. WWW2Exec - atexit()
    3. WWW2Exec - .dtors & .fini_array
    4. WWW2Exec - GOT/PLT
    5. WWW2Exec - __malloc_hook & __free_hook
  260. Common Exploiting Problems
  261. Adreno A7xx Sds Rb Priv Bypass Gpu Smmu Kernel Rw
  262. Ksmbd Streams Xattr Oob Write Cve 2025 37947
  263. Linux kernel exploitation - toctou
  264. PS5 compromission
  265. Windows Exploiting (Basic Guide - OSCP lvl)
  266. iOS Exploiting
    1. ios CVE-2020-27950-mach_msg_trailer_t
    2. ios CVE-2021-30807-IOMobileFrameBuffer
    3. Imessage Media Parser Zero Click Coreaudio Pac Bypass
    4. ios Corellium
    5. ios Heap Exploitation
    6. ios Physical UAF - IOSurface
  268. 🤖 AI
  269. AI Security
    1. Ai Assisted Fuzzing And Vulnerability Discovery
    2. AI Security Methodology
    3. AI MCP Security
    4. AI Model Data Preparation
    5. AI Models RCE
    6. AI Prompts
    7. AI Risk Frameworks
    8. AI Supervised Learning Algorithms
    9. AI Unsupervised Learning Algorithms
    10. AI Reinforcement Learning Algorithms
    11. LLM Training
      1. 0. Basic LLM Concepts
      2. 1. Tokenizing
      3. 2. Data Sampling
      4. 3. Token Embeddings
      5. 4. Attention Mechanisms
      6. 5. LLM Architecture
      7. 6. Pre-training & Loading models
      8. 7.0. LoRA Improvements in fine-tuning
      9. 7.1. Fine-Tuning for Classification
      10. 7.2. Fine-Tuning to follow instructions
  271. 🔩 Reversing
  272. Reversing Tools & Basic Methods
    1. Angr
      1. Angr - Examples
    2. Z3 - Satisfiability Modulo Theories (SMT)
    3. Cheat Engine
    4. Blobrunner
  273. Common API used in Malware
  274. Word Macros
  276. 🔮 Crypto & Stego
  277. Cryptographic/Compression Algorithms
    1. Unpacking binaries
  278. Certificates
  279. Cipher Block Chaining CBC-MAC
  280. Crypto CTFs Tricks
  281. Electronic Code Book (ECB)
  282. Hash Length Extension Attack
  283. Padding Oracle
  284. RC4 - Encrypt&Decrypt
  285. Stego Tricks
  286. Esoteric languages
  288. ✍️ TODO
  289. Interesting Http
  290. Rust Basics
  291. More Tools
  292. Hardware Hacking
    1. Fault Injection Attacks
    2. I2C
    3. Side Channel Analysis
    4. UART
    5. Radio
    6. JTAG
    7. SPI
  293. Industrial Control Systems Hacking
    1. Modbus Protocol
  294. Radio Hacking
    1. Maxiprox Mobile Cloner
    2. Pentesting RFID
    3. Infrared
    4. Sub-GHz RF
    5. iButton
    6. Flipper Zero
      1. FZ - NFC
      2. FZ - Sub-GHz
      3. FZ - Infrared
      4. FZ - iButton
      5. FZ - 125kHz RFID
    7. Proxmark 3
    8. FISSURE - The RF Framework
    9. Low-Power Wide Area Network
    10. Pentesting BLE - Bluetooth Low Energy
  295. Test LLMs
  296. Burp Suite
  297. Other Web Tricks
  298. Interesting HTTP$$external:todo/interesting-http.md$$
  299. Android Forensics
  300. Online Platforms with API
  301. Stealing Sensitive Information Disclosure from a Web
  302. Post Exploitation
  303. Investment Terms
  304. Cookies Policy