# Misc

{% embed url="<https://twitter.com/ThisIsDK999/status/1361298477783805952?s=20>" %}

* <https://gccybermonks.com/posts/popups/>
* <https://www.mannulinux.org/2021/03/from-tikiwiki-to-domain-admin-journey.html>
* <https://blog.cryptohack.org/twitter-secrets>
* <https://bdgajera.medium.com/ssrf-if-the-application-renders-csv-bd56c4cbea6c>
* <https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/>
* <https://www.hahwul.com/2020/12/24/toctou-ssrf/>
* <https://github.com/minimaxir/big-list-of-naughty-strings>
* <https://mr-msa.notion.site/mr-msa/Write-ups-Tips-0b10fa38dc64499192dcf8df8ec56da9>

```
SSL Pinning - 
https://www.youtube.com/watch?v=is8lHjEkk7U


How http works ?

How SSL / TLS works ?


How DNS Works ?


How OAUTH works ?

https://twitter.com/s0md3v/status/1168846854689132544


https://twitter.com/hackerscrolls/status/1269266750467649538


https://blog.avuln.com/article/4


https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/


https://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts/


https://research.nccgroup.com/2020/07/07/an-offensive-guide-to-the-authorization-code-grant/


https://www.youtube.com/watch?v=O762qjAjAyo&list=PLnICOE3KiEs9J65ndHOeOYDiyA7FhI1g9&index=6&t=0s


https://maxfieldchen.com/posts/2020-05-17-penetration-testers-guide-oauth-2.html


https://medium.com/@apkash8/oauth-and-security-7fddce2e1dc5


https://medium.com/@lokeshdlk77/bypass-oauth-nonce-and-steal-oculus-response-code-faa9cc8d0d37


https://t.co/FYJdf7Z6nG?amp=1

Had some recent success using untranslatable Unicode in place of a "?" when attacking URL parsers for SSRF/OAuth issues. What worked was... \udfff -> � -> ? Therefore... {"redirectUri":"https://attacker\udfff@[victim]/"} Equals... Location: https://attacker?@[victim]/ - 
https://twitter.com/samwcyo/status/1246997498981494784


https://xpoc.pro/oauth-authentication-bypass-on-airbnb-acquisition-using-weird-1-char-open-redirect/


Got my 1st HTTP Parameter Pollution (HPP) bug rewarded! Targeting an OAuth login: by providing url parameter "scope" twice, the page asked confirmation for the first, but ended up authorizing all others too:


/oauth?redirect=x&response_type=code&client_id=x&scope=name&scope=email


https://www.hackedu.com/blog/analysis-of-common-federated-identity-protocols-openid-connect-vs-oauth-2.0-vs-saml-2.0


https://twitter.com/apisecurityio/status/1283023445081509888?s=20



Certificate Transparency:

https://www.digicert.com/certificate-transparency/how-it-works.htm


http://www.certificate-transparency.org/how-ct-works


https://medium.com/babylon-engineering/android-security-certificate-transparency-601c18157c44




HTTP headers 



https://www.federacy.com/blog/security-headers-the-whys-and-hows/


https://zgheb.com/i?v=blog&pl=46#sh_acao


https://blog.initd.sh/others-attacks/web-application/http-security-headers-detailed-explanation/


https://www.youtube.com/watch?v=eDauBJUthRo


https://int64software.com/blog/2018/11/05/hardening-website-security-part-1-http-security-headers/


https://blog.detectify.com/2019/02/05/guide-http-security-headers-for-better-web-browser-security/


https://medium.com/@Johne_Jacob/7-security-response-headers-every-security-tester-should-know-77576ffdfc0f


https://www.scip.ch/en/?labs.20180809


```

CSP - <https://csper.io/blog/other-csp-security>

CSP - <https://www.youtube.com/watch?v=c3JjTRFl5D8&t=0s&list=PLv-PXy2JVvivzOKjt7_jA8NnIifCnRjOS&index=15>

JWT:

```
https://zonksec.com/blog/jwt-hacking-101/
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
https://www.slideshare.net/snyff/jwt-insecurity
https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/january/jwt-attack-walk-through/
https://www.shawarkhan.com/2019/01/hijacking-accounts-by-retrieving-jwt.html
https://medium.com/@blackhood/simple-jwt-hacking-73870a976750
https://github.com/dwyl/learn-json-web-tokens
https://habr.com/en/post/450054/
https://gist.github.com/pranav1hivarekar/65e59cb95d56acf02ffdaf17b25f4039
https://www.youtube.com/watch?v=rCkDE2me_qk
https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781
https://www.scip.ch/en/?labs.20190523
https://blog.securitybreached.org/2018/10/27/privilege-escalation-like-a-boss/
https://badshah.io/pentesting-jwt-tokens/
https://www.owasp.org/images/0/07/20190222--Nyffenegger-JWAT.pdf
https://www.youtube.com/watch?v=sGvF8wS76Dk
https://www.youtube.com/watch?v=aYz8yPymyvk
http://intx0x80.blogspot.com/2019/10/JWT.html
https://mazinahmed.net/blog/breaking-jwt/
https://research.securitum.com/jwt-json-web-token-security/
https://github.com/ticarpi/jwt_tool/wiki
https://www.youtube.com/watch?v=nM8kibRciJQ
https://www.youtube.com/watch?v=M3jA0bGDCso&feature=emb_logo
https://youtu.be/zWVRHK3ykfo
https://youtu.be/558MFgH1t9g
https://t.co/Su15R6Vpps?amp=1
https://github.com/dwyl/learn-json-web-tokens
https://blog.silentsignal.eu/2021/02/08/abusing-jwt-public-keys-without-the-public-key/
```

OAUTH / SAML -&#x20;

```
https://medium.com/securing/what-is-going-on-with-oauth-2-0-and-why-you-should-not-use-it-for-authentication-5f47597b2611

https://habr.com/en/post/449182/



How to Hunt Bugs in SAML; a Methodology - Part I
https://www.anitian.com/owning-saml/


The most common OAuth 2.0 Hacks - https://habr.com/en/post/449182/

http://blog.intothesymmetry.com/2015/12/top-10-oauth-2-implementation.html

https://twitter.com/fyoorer/status/1190304570506911744

https://medium.com/swlh/hacking-saml-bce30483d020

https://medium.com/@wdevon99/what-the-hell-is-oauth-6ba19f236612

https://twitter.com/s0md3v/status/1168846854689132544

https://twitter.com/fuxksniper/status/1297092959544856576
```

{% embed url="<https://carbon.now.sh/>" %}

SAML - <https://twitter.com/Alra3ees/status/1259969808969469954>

nmap - <https://twitter.com/JaneScott/status/1072291481728167936?ref_src=twsrc%5Etfw%7Ctwcamp%5Eembeddedtimeline%7Ctwterm%5Ecollection%3A1073939531731210240%7Ctwcon%5Etimelinechrome&ref_url=https%3A%2F%2Ftwitter.com%2Fpentesterland%2Ftimelines%2F1073939531731210240>

{% embed url="<https://s3-us-west-2.amazonaws.com/stationx-public-download/nmap_cheet_sheet_0.6.pdf>" %}

I built a tool to turn[@nmap](https://twitter.com/nmap) scan data into a sortable table for easier consumption. ([https://github.com/jgamblin/nmaptable/…](https://t.co/2pehCY9hLk?amp=1)) Demo: [https://jgamblin.github.io/nmap.html](https://t.co/hxNN3MObR6?amp=1)

\---Nmap Trick Techniques [#BugBountry](https://twitter.com/hashtag/BugBountry?src=hashtag_click) [https://blog.urfix.com/10-cool-nmap-tricks-techniques/amp/#click=https://t.co/IzRXAg7CiQ](https://t.co/3hi67aqUiS?amp=1)

{% embed url="<https://twitter.com/cnotin/status/1088122067952828416?ref_src=twsrc%5Etfw%7Ctwcamp%5Eembeddedtimeline%7Ctwterm%5Ecollection%3A1088406074103865346%7Ctwcon%5Etimelinechrome&ref_url=https%3A%2F%2Ftwitter.com%2Fpentesterland%2Ftimelines%2F1088406074103865346>" %}

* How to defend your website with ZIP bombs : - <https://twitter.com/binitamshah/status/882977758380310529>
* A pretty old bug in Yahoo! [https://medium.com/@uranium238/co](https://t.co/43tnWhhwe3?amp=1)
* New blog post about bypassing payments using webhooks: [https://lightningsecurity.io/blog/bypassing-payments-using-webhooks/…](https://t.co/wpLyUFjzd6?amp=1) [#bugbounty](https://twitter.com/hashtag/bugbounty?src=hashtag_click)
* Some nice writeup you should read it. [http://blog.jr0ch17.com/tags/#smtp%20header%20injection…](https://t.co/7eBRaHJrlS?amp=1)356115
* Chaining - <https://web.archive.org/web/20190407101215/https://nahamsec.com/chaining-multiple-vulnerabilities-to-gain-admin-access/>
* <https://github.com/bb1nfosec/Information-Security-Tasks/tree/master/Web>
* <https://medium.com/@masonhck357/chains-on-chains-chaining-multiple-low-level-vulns-into-a-critical-8b88db29738e>

Host Header -&#x20;

* <https://hackerone.com/reports/317476>
* [https://hackerone.com/reports/123078](https://t.co/Ui9rqQZgUF?amp=1) [https://hackerone.com/reports/167631](https://t.co/LQsaWoQWzZ?amp=1) [https://hackerone.com/reports/226659](https://t.co/5ybE4y4X0i?amp=1) [https://hackerone.com/reports/229498](https://t.co/yGZlnhGpFr?amp=1) [https://hackerone.com/reports/244677](https://t.co/MCazG7foUT?amp=1) [https://hackerone.com/reports/281575](https://t.co/RJ5MctEwDO?amp=1) [https://hackerone.com/reports/317476](https://t.co/LuwkhrQn9s?amp=1) [https://hackerone.com/reports/698416](https://t.co/iSg4meA3Ur?amp=1) [https://hackerone.com/reports/791293](https://t.co/XRN7cUSL9D?amp=1)

Post Msg - <https://medium.com/bugbountywriteup/how-to-spot-and-exploit-postmessage-vulnerablities-329079d307cc>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gowthams.gitbook.io/bughunter-handbook/misc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.