alekseng1neer Goto Github PK

alekseng1neer.github.io

awesome-ctf-cheatsheet

CTF Cheatsheet

awesome-oscp

A curated list of awesome OSCP resources

ctfcup22-quals

Репозиторий с заданиями Кубка CTF России 2022

dvwa-guide-2019

Solutions and notes for the Damn Vulnerable Web App pentesting tool, intended to be accurate as of 2Q 2019.

exploit-notes

Sticky notes for pentesting.

foca

Tool to find metadata and hidden information in the documents.

payloadsallthethings

A list of useful payloads and bypass for Web Application Security and Pentest/CTF

pentest-notes

Collection of Pentest Notes and Cheatsheets from a lot of repos (SofianeHamlaoui,dostoevsky,mantvydasb,adon90,BriskSec)

powerfuzzer

powerfuzzer : Highly automated, fully customizable HTTP protocol based application fuzzer

privilege-escalation

This cheasheet is aimed at the CTF Players and Beginners to help them understand the fundamentals of Privilege Escalation with examples.

seclists

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

vulnerable-ad

Create a vulnerable active directory that's allowing you to test most of the active directory attacks in a local lab

web-application-cheatsheet

This cheatsheet is aimed at the CTF Players and Beginners to help them understand Web Application Vulnerablity with examples.

write-up

Root-Me, HTB and more WU...

xss-payload-list

🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List

xss-scanner

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. These 3 types of XSS are defined as follows:  Stored XSS (AKA Persistent or Type I)  Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser. With the advent of HTML5, and other browser technologies, we can envision the attack payload being permanently stored in the victim’s browser, such as an HTML5 database, and never being sent to the server at all.   Reflected XSS (AKA Non-Persistent or Type II) Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request, without that data being made safe to render in the browser, and without permanently storing the user provided data. In some cases, the user provided data may never even leave the browser (see DOM Based XSS next).  DOM Based XSS (AKA Type-0)  As defined by Amit Klein, who published the first article about this issue, DOM Based XSS is a form of XSS where the entire tainted data flow from source to sink takes place in the browser, i.e., the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. For example, the source (where malicious data is read) could be the URL of the page (e.g., document.location.href), or it could be an element of the HTML, and the sink is a sensitive method call that causes the execution of the malicious data (e.g., document.write)."

xsshunter