2. 👾 Welcome!
  3. HackTricks
  4. HackTricks Values & FAQ
  5. About the author
  7. 🤩 Generic Methodologies & Resources
  8. Pentesting Methodology
  9. External Recon Methodology
    1. Wide Source Code Search
    2. Github Dorks & Leaks
  11. Pentesting Network
    1. DHCPv6
    2. EIGRP Attacks
    3. GLBP & HSRP Attacks
    4. IDS and IPS Evasion
    5. Lateral VLAN Segmentation Bypass
    6. Network Protocols Explained (ESP)
    7. Nmap Summary (ESP)
    8. Pentesting IPv6
    9. Telecom Network Exploitation
    10. WebRTC DoS
    11. Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
    12. Spoofing SSDP and UPnP Devices with EvilSSDP
  13. Pentesting Wifi
    1. Enable Nexmon Monitor And Injection On Android
    2. Evil Twin EAP-TLS
  15. Phishing Methodology
    1. Clipboard Hijacking
    2. Clone a Website
    3. Detecting Phishing
    4. Discord Invite Hijacking
    5. Homograph Attacks
    6. Mobile Phishing Malicious Apps
    7. Phishing Files & Documents
  17. Basic Forensic Methodology
    1. Baseline Monitoring
    2. Anti-Forensic Techniques
    3. Docker Forensics
    4. Image Acquisition & Mount
    5. Linux Forensics
    6. Malware Analysis
    7. Memory dump analysis
      1. Volatility - CheatSheet
    9. Partitions/File Systems/Carving
      1. File/Data Carving & Recovery Tools
    11. Pcap Inspection
      1. DNSCat pcap analysis
      2. Suricata & Iptables cheatsheet
      3. USB Keystrokes
      4. Wifi Pcap Analysis
      5. Wireshark tricks
    13. Specific Software/File-Type Tricks
      1. Decompile compiled python binaries (exe, elf) - Retreive from .pyc
      2. Browser Artifacts
      3. Deofuscation vbs (cscript.exe)
      4. Local Cloud Storage
      5. Office file analysis
      6. PDF File analysis
      7. PNG tricks
      8. Video and Audio file analysis
      9. ZIPs tricks
    15. Windows Artifacts
      1. Interesting Windows Registry Keys
  19. Python Sandbox Escape & Pyscript
    1. Bypass Python sandboxes
      1. LOAD_NAME / LOAD_CONST opcode OOB Read
    3. Class Pollution (Python's Prototype Pollution)
    4. Python Internal Read Gadgets
    5. Pyscript
    6. venv
    7. Web Requests
    8. Bruteforce hash (few chars)
    9. Basic Python
  21. Threat Modeling
  23. 🧙‍♂️ Generic Hacking
  24. Archive Extraction Path Traversal
  25. Brute Force - CheatSheet
  26. Esim Javacard Exploitation
  27. Exfiltration
  28. Reverse Shells (Linux, Windows, MSFVenom)
    1. MSFVenom - CheatSheet
    2. Reverse Shells - Windows
    3. Reverse Shells - Linux
    4. Expose local to the internet
    5. Full TTYs
  30. Search Exploits
  31. Tunneling and Port Forwarding
  33. 🐧 Linux Hardening
  34. Checklist - Linux Privilege Escalation
  35. Linux Privilege Escalation
    1. Arbitrary File Write to Root
    2. Cisco - vmanage
    3. Containerd (ctr) Privilege Escalation
    4. D-Bus Enumeration & Command Injection Privilege Escalation
    5. Docker Security
      1. Abusing Docker Socket for Privilege Escalation
      2. AppArmor
      3. AuthZ& AuthN - Docker Access Authorization Plugin
      4. CGroups
      5. Docker --privileged
      6. Docker Breakout / Privilege Escalation
        1. release_agent exploit - Relative Paths to PIDs
        2. Docker release_agent cgroups escape
        3. Sensitive Mounts
      8. Namespaces
        1. CGroup Namespace
        2. IPC Namespace
        3. PID Namespace
        4. Mount Namespace
        5. Network Namespace
        6. Time Namespace
        7. User Namespace
        8. UTS Namespace
      10. Seccomp
      11. Weaponizing Distroless
    7. Escaping from Jails
    8. euid, ruid, suid
    9. Interesting Groups - Linux Privesc
      1. lxd/lxc Group - Privilege escalation
    11. Logstash
    12. ld.so privesc exploit example
    13. Linux Active Directory
    14. Linux Capabilities
    15. NFS no_root_squash/no_all_squash misconfiguration PE
    16. Node inspector/CEF debug abuse
    17. Payloads to execute
    18. RunC Privilege Escalation
    19. SELinux
    20. Socket Command Injection
    21. Splunk LPE and Persistence
    22. SSH Forward Agent exploitation
    23. Wildcards Spare tricks
  37. Useful Linux Commands
  38. Bypass Linux Restrictions
    1. Bypass FS protections: read-only / no-exec / Distroless
      1. DDexec / EverythingExec
  40. Linux Environment Variables
  41. Linux Post-Exploitation
    1. PAM - Pluggable Authentication Modules
  43. FreeIPA Pentesting
  45. 🍏 MacOS Hardening
  46. macOS Security & Privilege Escalation
    1. macOS Apps - Inspecting, debugging and Fuzzing
      1. Objects in memory
      2. Introduction to x64
      3. Introduction to ARM64v8
    3. macOS AppleFS
    4. macOS Bypassing Firewalls
    5. macOS Defensive Apps
    6. Macos Dyld Hijacking And Dyld Insert Libraries
    7. macOS GCD - Grand Central Dispatch
    8. macOS Kernel & System Extensions
      1. macOS IOKit
      2. macOS Kernel Extensions & Debugging
      3. macOS Kernel Vulnerabilities
      4. macOS System Extensions
    10. macOS Network Services & Protocols
    11. macOS File Extension & URL scheme app handlers
    12. macOS Files, Folders, Binaries & Memory
      1. macOS Bundles
      2. macOS Installers Abuse
      3. macOS Memory Dumping
      4. macOS Sensitive Locations & Interesting Daemons
      5. macOS Universal binaries & Mach-O Format
    14. macOS Objective-C
    15. macOS Privilege Escalation
    16. macOS Process Abuse
      1. macOS Dirty NIB
      2. macOS Chromium Injection
      3. macOS Electron Applications Injection
      4. macOS Function Hooking
      5. macOS IPC - Inter Process Communication
        1. macOS MIG - Mach Interface Generator
        2. macOS XPC
          1. macOS XPC Authorization
          2. macOS XPC Connecting Process Check
            1. macOS PID Reuse
            2. macOS xpc_connection_get_audit_token Attack
        4. macOS Thread Injection via Task port
      7. macOS Java Applications Injection
      8. macOS Library Injection
        1. macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
        2. macOS Dyld Process
      10. macOS Perl Applications Injection
      11. macOS Python Applications Injection
      12. macOS Ruby Applications Injection
      13. macOS .Net Applications Injection
    18. macOS Security Protections
      1. macOS Gatekeeper / Quarantine / XProtect
      2. macOS Launch/Environment Constraints & Trust Cache
      3. macOS Sandbox
        1. macOS Default Sandbox Debug
        2. macOS Sandbox Debug & Bypass
          1. macOS Office Sandbox Bypasses
      5. macOS Authorizations DB & Authd
      6. macOS SIP
      7. macOS TCC
        1. macOS Apple Events
        2. macOS TCC Bypasses
          1. macOS Apple Scripts
        4. macOS TCC Payloads
      9. macOS Dangerous Entitlements & TCC perms
      10. macOS - AMFI - AppleMobileFileIntegrity
      11. macOS MACF - Mandatory Access Control Framework
      12. macOS Code Signing
      13. macOS FS Tricks
        1. macOS xattr-acls extra stuff
    20. macOS Users & External Accounts
  48. macOS Red Teaming
    1. macOS MDM
      1. Enrolling Devices in Other Organisations
      2. macOS Serial Number
    3. macOS Keychain
  50. macOS Useful Commands
  51. macOS Auto Start
  53. 🪟 Windows Hardening
  54. Authentication Credentials Uac And Efs
  55. Checklist - Local Windows Privilege Escalation
  56. Windows Local Privilege Escalation
    1. Dll Hijacking
    2. Abusing Tokens
    3. Access Tokens
    4. ACLs - DACLs/SACLs/ACEs
    5. AppendData/AddSubdirectory permission over service registry
    6. Create MSI with WIX
    7. COM Hijacking
    8. Dll Hijacking
      1. Writable Sys Path +Dll Hijacking Privesc
    10. DPAPI - Extracting Passwords
    11. From High Integrity to SYSTEM with Name Pipes
    12. Integrity Levels
    13. JuicyPotato
    14. Leaked Handle Exploitation
    15. MSI Wrapper
    16. Named Pipe Client Impersonation
    17. Privilege Escalation with Autoruns
    18. RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
    19. SeDebug + SeImpersonate copy token
    20. SeImpersonate from High To System
    21. Windows C Payloads
  58. Active Directory Methodology
    1. Abusing Active Directory ACLs/ACEs
      1. BadSuccessor
      2. Shadow Credentials
    3. AD Certificates
      1. AD CS Account Persistence
      2. AD CS Domain Escalation
      3. AD CS Domain Persistence
      4. AD CS Certificate Theft
    5. Ad Certificates
    6. AD information in printers
    7. AD DNS Records
    8. Adws Enumeration
    9. ASREPRoast
    10. Badsuccessor Dmsa Migration Abuse
    11. BloodHound & Other AD Enum Tools
    12. Constrained Delegation
    13. Custom SSP
    14. DCShadow
    15. DCSync
    16. Diamond Ticket
    17. DSRM Credentials
    18. External Forest Domain - OneWay (Inbound) or bidirectional
    19. External Forest Domain - One-Way (Outbound)
    20. Golden Dmsa Gmsa
    21. Golden Ticket
    22. Kerberoast
    23. Kerberos Authentication
    24. Kerberos Double Hop Problem
    25. LAPS
    26. MSSQL AD Abuse
    27. Over Pass the Hash/Pass the Key
    28. Pass the Ticket
    29. Password Spraying / Brute Force
    30. PrintNightmare
    31. Force NTLM Privileged Authentication
    32. Privileged Groups
    33. RDP Sessions Abuse
    34. Resource-based Constrained Delegation
    35. Sccm Management Point Relay Sql Policy Secrets
    36. Security Descriptors
    37. SID-History Injection
    38. Silver Ticket
    39. Skeleton Key
    40. Timeroasting
    41. Unconstrained Delegation
  60. Windows Security Controls
    1. UAC - User Account Control
  62. NTLM
    1. Places to steal NTLM creds
  64. Lateral Movement
    1. AtExec / SchtasksExec
    2. DCOM Exec
    3. PsExec/Winexec/ScExec
    4. RDPexec
    5. SCMexec
    6. WinRM
    7. WmiExec
  66. Pivoting to the Cloud$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/index.html$$
  67. Stealing Windows Credentials
    1. Windows Credentials Protections
    2. Mimikatz
    3. WTS Impersonator
  69. Basic Win CMD for Pentesters
  70. Basic PowerShell for Pentesters
    1. PowerView/SharpView
  72. Antivirus (AV) Bypass
  73. Cobalt Strike
  74. Mythic
  76. 📱 Mobile Pentesting
  77. Android APK Checklist
  78. Android Applications Pentesting
    1. Accessibility Services Abuse
    2. Android Applications Basics
    3. Android Task Hijacking
    4. ADB Commands
    5. APK decompilers
    6. AVD - Android Virtual Device
    7. Bypass Biometric Authentication (Android)
    8. content:// protocol
    9. Drozer Tutorial
      1. Exploiting Content Providers
    11. Exploiting a debuggeable application
    12. Flutter
    13. Frida Tutorial
      1. Frida Tutorial 1
      2. Frida Tutorial 2
      3. Frida Tutorial 3
      4. Objection Tutorial
    15. Google CTF 2018 - Shall We Play a Game?
    16. Insecure In App Update Rce
    17. Install Burp Certificate
    18. Intent Injection
    19. Make APK Accept CA Certificate
    20. Manual DeObfuscation
    21. React Native Application
    22. Reversing Native Libraries
    23. Shizuku Privileged Api
    24. Smali - Decompiling, Modifying, Compiling
    25. Spoofing your location in Play Store
    26. Tapjacking
    27. Webview Attacks
  80. iOS Pentesting Checklist
  81. iOS Pentesting
    1. Air Keyboard Remote Input Injection
    2. iOS App Extensions
    3. iOS Basics
    4. iOS Basic Testing Operations
    5. iOS Burp Suite Configuration
    6. iOS Custom URI Handlers / Deeplinks / Custom Schemes
    7. iOS Extracting Entitlements From Compiled Application
    8. iOS Frida Configuration
    9. iOS Hooking With Objection
    10. iOS Pentesting withuot Jailbreak
    11. iOS Protocol Handlers
    12. iOS Serialisation and Encoding
    13. iOS Testing Environment
    14. iOS UIActivity Sharing
    15. iOS Universal Links
    16. iOS UIPasteboard
    17. iOS WebViews
  83. Cordova Apps
  84. Xamarin Apps
  86. 👽 Network Services Pentesting
  87. Pentesting JDWP - Java Debug Wire Protocol
  88. Pentesting Printers$$external:http://hacking-printers.net/wiki/index.php/Main_Page$$
  89. Pentesting SAP
  90. Pentesting VoIP
    1. Basic VoIP Protocols
      1. SIP (Session Initiation Protocol)
  92. Pentesting Remote GdbServer
  93. 7/tcp/udp - Pentesting Echo
  94. 21 - Pentesting FTP
    1. FTP Bounce attack - Scan
    2. FTP Bounce - Download 2ºFTP file
  96. 22 - Pentesting SSH/SFTP
  97. 23 - Pentesting Telnet
  98. 25,465,587 - Pentesting SMTP/s
    1. SMTP Smuggling
    2. SMTP - Commands
  100. 43 - Pentesting WHOIS
  101. 49 - Pentesting TACACS+
  102. 53 - Pentesting DNS
  103. 69/UDP TFTP/Bittorrent-tracker
  104. 79 - Pentesting Finger
  105. 80,443 - Pentesting Web Methodology
    1. 403 & 401 Bypasses
    2. AEM - Adobe Experience Cloud
    3. Angular
    4. Apache
    5. Artifactory Hacking guide
    6. Bolt CMS
    7. Buckets
      1. Firebase Database
    9. CGI
    10. Django
    11. DotNetNuke (DNN)
    12. Drupal
      1. Drupal RCE
    14. Electron Desktop Apps
      1. Electron contextIsolation RCE via preload code
      2. Electron contextIsolation RCE via Electron internal code
      3. Electron contextIsolation RCE via IPC
    16. Flask
    17. Git
    18. Golang
    19. Grafana
    20. GraphQL
    21. H2 - Java SQL database
    22. IIS - Internet Information Services
    23. ImageMagick Security
    24. JBOSS
    25. Jira & Confluence
    26. Joomla
    27. JSP
    28. Laravel
    29. Microsoft Sharepoint
    30. Moodle
    31. NextJS
    32. Nginx
    33. NodeJS Express
    34. PHP Tricks
      1. PHP - Useful Functions & disable_functions/open_basedir bypass
        1. disable_functions bypass - php-fpm/FastCGI
        2. disable_functions bypass - dl function
        3. disable_functions bypass - PHP 7.0-7.4 (-nix only)
        4. disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
        5. disable_functions - PHP 5.x Shellshock Exploit
        6. disable_functions - PHP 5.2.4 ionCube extension Exploit
        7. disable_functions bypass - PHP <= 5.2.9 on windows
        8. disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
        9. disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
        10. disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
        11. disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
        12. disable_functions bypass - PHP 5.2 - FOpen Exploit
        13. disable_functions bypass - via mem
        14. disable_functions bypass - mod_cgi
        15. disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
      3. Php Rce Abusing Object Creation New Usd Get A Usd Get B
      4. PHP SSRF
    36. PrestaShop
    37. Python
    38. Rocket Chat
    39. Ruby Tricks
    40. Special HTTP headers$$external:network-services-pentesting/pentesting-web/special-http-headers.md$$
    41. Source code Review / SAST Tools
    42. Special Http Headers
    43. Spring Actuators
    44. Symfony
    45. Tomcat
    46. Uncovering CloudFlare
    47. Vuejs
    48. VMWare (ESX, VCenter...)
    49. Web API Pentesting
    50. WebDav
    51. Werkzeug / Flask Debug
    52. Wordpress
  107. 88tcp/udp - Pentesting Kerberos
    1. Harvesting tickets from Windows
    2. Harvesting tickets from Linux
  109. 110,995 - Pentesting POP
  110. 111/TCP/UDP - Pentesting Portmapper
  111. 113 - Pentesting Ident
  112. 123/udp - Pentesting NTP
  113. 135, 593 - Pentesting MSRPC
  114. 137,138,139 - Pentesting NetBios
  115. 139,445 - Pentesting SMB
    1. rpcclient enumeration
  117. 143,993 - Pentesting IMAP
  118. 161,162,10161,10162/udp - Pentesting SNMP
    1. Cisco SNMP
    2. SNMP RCE
  120. 194,6667,6660-7000 - Pentesting IRC
  121. 264 - Pentesting Check Point FireWall-1
  122. 389, 636, 3268, 3269 - Pentesting LDAP
  123. 500/udp - Pentesting IPsec/IKE VPN
  124. 502 - Pentesting Modbus
  125. 512 - Pentesting Rexec
  126. 513 - Pentesting Rlogin
  127. 514 - Pentesting Rsh
  128. 515 - Pentesting Line Printer Daemon (LPD)
  129. 548 - Pentesting Apple Filing Protocol (AFP)
  130. 554,8554 - Pentesting RTSP
  131. 623/UDP/TCP - IPMI
  132. 631 - Internet Printing Protocol(IPP)
  133. 700 - Pentesting EPP
  134. 873 - Pentesting Rsync
  135. 1026 - Pentesting Rusersd
  136. 1080 - Pentesting Socks
  137. 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
  138. 1414 - Pentesting IBM MQ
  139. 1433 - Pentesting MSSQL - Microsoft SQL Server
    1. Types of MSSQL Users
  141. 1521,1522-1529 - Pentesting Oracle TNS Listener
  142. 1723 - Pentesting PPTP
  143. 1883 - Pentesting MQTT (Mosquitto)
  144. 2049 - Pentesting NFS Service
  145. 2301,2381 - Pentesting Compaq/HP Insight Manager
  146. 2375, 2376 Pentesting Docker
  147. 3128 - Pentesting Squid
  148. 3260 - Pentesting ISCSI
  149. 3299 - Pentesting SAPRouter
  150. 3306 - Pentesting Mysql
  151. 3389 - Pentesting RDP
  152. 3632 - Pentesting distcc
  153. 3690 - Pentesting Subversion (svn server)
  154. 3702/UDP - Pentesting WS-Discovery
  155. 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
  156. 4786 - Cisco Smart Install
  157. 4840 - OPC Unified Architecture
  158. 5000 - Pentesting Docker Registry
  159. 5353/UDP Multicast DNS (mDNS) and DNS-SD
  160. 5432,5433 - Pentesting Postgresql
  161. 5439 - Pentesting Redshift
  162. 5555 - Android Debug Bridge
  163. 5601 - Pentesting Kibana
  164. 5671,5672 - Pentesting AMQP
  165. 5800,5801,5900,5901 - Pentesting VNC
  166. 5984,6984 - Pentesting CouchDB
  167. 5985,5986 - Pentesting WinRM
  168. 5985,5986 - Pentesting OMI
  169. 6000 - Pentesting X11
  170. 6379 - Pentesting Redis
  171. 8009 - Pentesting Apache JServ Protocol (AJP)
  172. 8086 - Pentesting InfluxDB
  173. 8089 - Pentesting Splunkd
  174. 8333,18333,38333,18444 - Pentesting Bitcoin
  175. 9000 - Pentesting FastCGI
  176. 9001 - Pentesting HSQLDB
  177. 9042/9160 - Pentesting Cassandra
  178. 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
  179. 9200 - Pentesting Elasticsearch
  180. 10000 - Pentesting Network Data Management Protocol (ndmp)
  181. 11211 - Pentesting Memcache
    1. Memcache Commands
  183. 15672 - Pentesting RabbitMQ Management
  184. 24007,24008,24009,49152 - Pentesting GlusterFS
  185. 27017,27018 - Pentesting MongoDB
  186. 44134 - Pentesting Tiller (Helm)
  187. 44818/UDP/TCP - Pentesting EthernetIP
  188. 47808/udp - Pentesting BACNet
  189. 50030,50060,50070,50075,50090 - Pentesting Hadoop
  191. 🕸️ Pentesting Web
  192. Less Code Injection Ssrf
  193. Web Vulnerabilities Methodology
  194. Reflecting Techniques - PoCs and Polygloths CheatSheet
    1. Web Vulns List
  196. 2FA/MFA/OTP Bypass
  197. Account Takeover
  198. Browser Extension Pentesting Methodology
    1. BrowExt - ClickJacking
    2. BrowExt - permissions & host_permissions
    3. BrowExt - XSS Example
  200. Bypass Payment Process
  201. Captcha Bypass
  202. Cache Poisoning and Cache Deception
    1. Cache Poisoning via URL discrepancies
    2. Cache Poisoning to DoS
  204. Clickjacking
  205. Client Side Template Injection (CSTI)
  206. Client Side Path Traversal
  207. Command Injection
  208. Content Security Policy (CSP) Bypass
    1. CSP bypass: self + 'unsafe-inline' with Iframes
  210. Cookies Hacking
    1. Cookie Tossing
    2. Cookie Jar Overflow
    3. Cookie Bomb
  212. CORS - Misconfigurations & Bypass
  213. CRLF (%0D%0A) Injection
  214. CSRF (Cross Site Request Forgery)
  215. Dangling Markup - HTML scriptless injection
    1. SS-Leaks
  217. DApps - Decentralized Applications
  218. Dependency Confusion
  219. Deserialization
    1. NodeJS - __proto__ & prototype Pollution
      1. Client Side Prototype Pollution
      2. Express Prototype Pollution Gadgets
      3. Prototype Pollution to RCE
    3. Java JSF ViewState (.faces) Deserialization
    4. Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
    5. Basic Java Deserialization (ObjectInputStream, readObject)
    6. PHP - Deserialization + Autoload Classes
    7. CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
    8. Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
    9. Exploiting __VIEWSTATE knowing the secrets
    10. Exploiting __VIEWSTATE without knowing the secrets
    11. Python Yaml Deserialization
    12. JNDI - Java Naming and Directory Interface & Log4Shell
    13. Ruby Json Pollution
    14. Ruby Class Pollution
  221. Domain/Subdomain takeover
  222. Email Injections
  223. File Inclusion/Path traversal
    1. phar:// deserialization
    2. LFI2RCE via PHP Filters
    3. LFI2RCE via Nginx temp files
    4. LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
    5. LFI2RCE via Segmentation Fault
    6. LFI2RCE via phpinfo()
    7. LFI2RCE Via temp file uploads
    8. LFI2RCE via Eternal waiting
    9. LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
  225. File Upload
    1. PDF Upload - XXE and CORS bypass
  227. Formula/CSV/Doc/LaTeX/GhostScript Injection
  228. gRPC-Web Pentest
  229. HTTP Connection Contamination
  230. HTTP Connection Request Smuggling
  231. HTTP Request Smuggling / HTTP Desync Attack
    1. Browser HTTP Request Smuggling
    2. Request Smuggling in HTTP/2 Downgrades
  233. HTTP Response Smuggling / Desync
  234. Upgrade Header Smuggling
  235. hop-by-hop headers
  236. IDOR
  237. JWT Vulnerabilities (Json Web Tokens)
  238. JSON, XML and YAML Hacking
  239. LDAP Injection
  240. Login Bypass
    1. Login bypass List
  242. NoSQL injection
  243. OAuth to Account takeover
  244. Open Redirect
  245. ORM Injection
  246. Parameter Pollution | JSON Injection
  247. Phone Number Injections
  248. PostMessage Vulnerabilities
    1. Blocking main page to steal postmessage
    2. Bypassing SOP with Iframes - 1
    3. Bypassing SOP with Iframes - 2
    4. Steal postmessage modifying iframe location
  250. Proxy / WAF Protections Bypass
  251. Race Condition
  252. Rate Limit Bypass
  253. Registration & Takeover Vulnerabilities
  254. Regular expression Denial of Service - ReDoS
  255. Reset/Forgotten Password Bypass
  256. Reverse Tab Nabbing
  257. RSQL Injection
  258. SAML Attacks
    1. SAML Basics
  260. Server Side Inclusion/Edge Side Inclusion Injection
  261. SQL Injection
    1. MS Access SQL Injection
    2. MSSQL Injection
    3. MySQL injection
      1. MySQL File priv to SSRF/RCE
    5. Oracle injection
    6. Cypher Injection (neo4j)
    7. Sqlmap
    8. PostgreSQL injection
      1. dblink/lo_import data exfiltration
      2. PL/pgSQL Password Bruteforce
      3. Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
      4. Big Binary Files Upload (PostgreSQL)
      5. RCE with PostgreSQL Languages
      6. RCE with PostgreSQL Extensions
    10. SQLMap - CheatSheet
      1. Second Order Injection - SQLMap
  263. SSRF (Server Side Request Forgery)
    1. URL Format Bypass
    2. SSRF Vulnerable Platforms
    3. Cloud SSRF
  265. SSTI (Server Side Template Injection)
    1. EL - Expression Language
    2. Jinja2 SSTI
  267. Timing Attacks
  268. Unicode Injection
    1. Unicode Normalization
  270. UUID Insecurities
  271. WebSocket Attacks
  272. Web Tool - WFuzz
  273. XPATH injection
  274. XS Search
  275. XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
  276. XXE - XEE - XML External Entity
  277. XSS (Cross Site Scripting)
    1. Abusing Service Workers
    2. Chrome Cache to XSS
    3. Debugging Client Side JS
    4. Dom Clobbering
    5. DOM Invader
    6. DOM XSS
    7. Iframes in XSS, CSP and SOP
    8. Integer Overflow
    9. JS Hoisting
    10. Misc JS Tricks & Relevant Info
    11. PDF Injection
    12. Server Side XSS (Dynamic PDF)
    13. Shadow DOM
    14. SOME - Same Origin Method Execution
    15. Sniff Leak
    16. Steal Info JS
    17. XSS in Markdown
  279. XSSI (Cross-Site Script Inclusion)
  280. XS-Search/XS-Leaks
    1. Connection Pool Examples
    2. Connection Pool by Destination Example
    3. Cookie Bomb + Onerror XS Leak
    4. URL Max Length - Client Side
    5. performance.now example
    6. performance.now + Force heavy task
    7. Event Loop Blocking + Lazy images
    8. JavaScript Execution XS Leak
    9. CSS Injection
      1. CSS Injection Code
  282. Iframe Traps
  284. ⛈️ Cloud Security
  285. Pentesting Kubernetes$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/index.html$$
  286. Pentesting Cloud (AWS, GCP, Az...)$$external:https://cloud.hacktricks.wiki/en/pentesting-cloud/pentesting-cloud-methodology.html$$
  287. Pentesting CI/CD (Github, Jenkins, Terraform...)$$external:https://cloud.hacktricks.wiki/en/pentesting-ci-cd/pentesting-ci-cd-methodology.html$$
  289. 😎 Hardware/Physical Access
  290. Physical Attacks
  291. Escaping from KIOSKs
  292. Firmware Analysis
    1. Bootloader testing
    2. Firmware Integrity
  295. 🎯 Binary Exploitation
  296. Basic Stack Binary Exploitation Methodology
    1. ELF Basic Information
    2. Exploiting Tools
      1. PwnTools
  298. Stack Overflow
    1. Pointer Redirecting
    2. Ret2win
      1. Ret2win - arm64
    4. Stack Shellcode
      1. Stack Shellcode - arm64
    6. Stack Pivoting - EBP2Ret - EBP chaining
    7. Uninitialized Variables
  300. ROP - Return Oriented Programing
    1. BROP - Blind Return Oriented Programming
    2. Ret2csu
    3. Ret2dlresolve
    4. Ret2esp / Ret2reg
    5. Ret2lib
      1. Leaking libc address with ROP
        1. Leaking libc - template
      3. One Gadget
      4. Ret2lib + Printf leak - arm64
    7. Ret2syscall
      1. Ret2syscall - ARM64
    9. Ret2vDSO
    10. SROP - Sigreturn-Oriented Programming
      1. SROP - ARM64
    12. Synology Encrypted Archive Decryption
  302. Array Indexing
  303. Chrome Exploiting
  304. Integer Overflow
  305. Format Strings
    1. Format Strings - Arbitrary Read Example
    2. Format Strings Template
  307. Libc Heap
    1. Bins & Memory Allocations
    2. Heap Memory Functions
      1. free
      2. malloc & sysmalloc
      3. unlink
      4. Heap Functions Security Checks
    4. Use After Free
      1. First Fit
    6. Double Free
    7. Overwriting a freed chunk
    8. Heap Overflow
    9. Unlink Attack
    10. Fast Bin Attack
    11. Unsorted Bin Attack
    12. Large Bin Attack
    13. Tcache Bin Attack
    14. Off by one overflow
    15. House of Spirit
    16. House of Lore | Small bin Attack
    17. House of Einherjar
    18. House of Force
    19. House of Orange
    20. House of Rabbit
    21. House of Roman
  309. Common Binary Exploitation Protections & Bypasses
    1. ASLR
      1. Ret2plt
      2. Ret2ret & Reo2pop
    3. CET & Shadow Stack
    4. Libc Protections
    5. Memory Tagging Extension (MTE)
    6. No-exec / NX
    7. PIE
      1. BF Addresses in the Stack
    9. Relro
    10. Stack Canaries
      1. BF Forked & Threaded Stack Canaries
      2. Print Stack Canary
  311. Write What Where 2 Exec
    1. Aw2exec Sips Icc Profile
    2. WWW2Exec - atexit()
    3. WWW2Exec - .dtors & .fini_array
    4. WWW2Exec - GOT/PLT
    5. WWW2Exec - __malloc_hook & __free_hook
  313. Common Exploiting Problems
  314. Windows Exploiting (Basic Guide - OSCP lvl)
  315. iOS Exploiting
  317. 🤖 AI
  318. AI Security
    1. Ai Assisted Fuzzing And Vulnerability Discovery
    2. AI Security Methodology
    3. AI MCP Security
    4. AI Model Data Preparation
    5. AI Models RCE
    6. AI Prompts
    7. AI Risk Frameworks
    8. AI Supervised Learning Algorithms
    9. AI Unsupervised Learning Algorithms
    10. AI Reinforcement Learning Algorithms
    11. LLM Training
      1. 0. Basic LLM Concepts
      2. 1. Tokenizing
      3. 2. Data Sampling
      4. 3. Token Embeddings
      5. 4. Attention Mechanisms
      6. 5. LLM Architecture
      7. 6. Pre-training & Loading models
      8. 7.0. LoRA Improvements in fine-tuning
      9. 7.1. Fine-Tuning for Classification
      10. 7.2. Fine-Tuning to follow instructions
  321. 🔩 Reversing
  322. Reversing Tools & Basic Methods
    1. Angr
      1. Angr - Examples
    3. Z3 - Satisfiability Modulo Theories (SMT)
    4. Cheat Engine
    5. Blobrunner
  324. Common API used in Malware
  325. Word Macros
  327. 🔮 Crypto & Stego
  328. Cryptographic/Compression Algorithms
    1. Unpacking binaries
  330. Certificates
  331. Cipher Block Chaining CBC-MAC
  332. Crypto CTFs Tricks
  333. Electronic Code Book (ECB)
  334. Hash Length Extension Attack
  335. Padding Oracle
  336. RC4 - Encrypt&Decrypt
  337. Stego Tricks
  338. Esoteric languages
  339. Blockchain & Crypto Currencies
  341. ✍️ TODO
  342. Interesting Http
  343. Rust Basics
  344. More Tools
  345. MISC
  346. Hardware Hacking
    1. Fault Injection Attacks
    2. I2C
    3. Side Channel Analysis
    4. UART
    5. Radio
    6. JTAG
    7. SPI
  348. Industrial Control Systems Hacking
    1. Modbus Protocol
  350. Radio Hacking
    1. Maxiprox Mobile Cloner
    2. Pentesting RFID
    3. Infrared
    4. Sub-GHz RF
    5. iButton
    6. Flipper Zero
      1. FZ - NFC
      2. FZ - Sub-GHz
      3. FZ - Infrared
      4. FZ - iButton
      5. FZ - 125kHz RFID
    8. Proxmark 3
    9. FISSURE - The RF Framework
    10. Low-Power Wide Area Network
    11. Pentesting BLE - Bluetooth Low Energy
  352. Test LLMs
  353. Burp Suite
  354. Other Web Tricks
  355. Interesting HTTP$$external:todo/interesting-http.md$$
  356. Android Forensics
  357. Online Platforms with API
  358. Stealing Sensitive Information Disclosure from a Web
  359. Post Exploitation
  360. Investment Terms
  361. Cookies Policy
    1. Readme
    2. Readme
    3. Readme
    4. Readme
    5. Readme
    6. Readme
    7. Readme