Awesome Security Write-Ups and POCs

A curated list of delightful writeups and POCs

Not mine not yours, It's everyone's. Feel free to contribute.

hacking-resource

Submitting new resource :

Please read the Contribution Doc

Content

  1. Cross Site Scripting - XSS
  2. Cross Site Request Frogery - CSRF
  3. Server Side Request Frogery - SSRF
  4. Application/Business Logic
  5. SQL Injection - SQLi
  6. InDirect Object Reference - IDOR
  7. Code Execution
  8. Reverse Engineering
  9. DNS Related
  10. Brute-force
  11. Subdomain Takeover
  12. Open URL Redirection
  13. Research Papers
  14. Miscellaneous

Resource

Blogs/Write ups
Cross Site Scripting - XSS
  1. XSS that existed at accounts.google.com - @kinugawamasato
  2. admin.google.com Reflected Cross-Site Scripting (XSS) - @bbuerhaus - Vulnerable continue parameter, https://admin.google.com/mrzioto.com/ServiceNotAllowed?service=grandcentral&continue=javascript:alert(document.cookie);//
  3. XSS-es in Google Caja - @SecurityMB
  4. Content Types and XSS: Facebook Studio - @fin1te - Client-side validation for content-type, Which then enables to pass HTML/Javascript to execute XSS
  5. Facebook XSS via Cross-Origin Resource Sharing - @mattaustin
  6. Stored XSS at Parse - Dhaval - No URL validation, Thus allowing javascript:alert(1) in URL parameter leading to XSS
  7. XSS in OAuth flow of Paypal - Dhaval
  8. Reflected XSS through AngularJS sandbox bypass...McDonald - @finnwea
  9. Coming across an XSS vulnerability at Google sites is wrong I expected - ikuta_T
  10. Hacking Google for fun and profit - Manish Bhattacharya
  11. Unpatched (0day) jQuery Mobile XSS - EDUARDO VELA
  12. Reflected XSS in Etsy - Harry M Gertos
  13. Sleeping stored Google XSS Awakens a $5000 Bounty - Patrik Fehrenbach
  14. admin.google.com Reflected Cross-Site Scripting (XSS) - Brett Buerhaus
  15. Stored XSS at exchange.onavo.com - Dhaval
  16. Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF - Brett Buerhaus
  17. How I found a $5,000 Google Maps XSS - Marin Moulinier
Cross Origin Resource Sharing Exploitation
  1. Think Outside the Scope: Advanced CORS Exploitation Techniques - Sandh0t
Cross Site Request Frogery - CSRF
  1. Messenger.com Site-Wide CSRF - @fin1te
  2. How I bypassed Facebook CSRF once again! - Pouya Darabi
Server Side Request Frogery - SSRF
  1. SSRF at Facebook Update Subscription Menu - Dhaval
  2. Ok Google, Give Me All Your Internal DNS Information - Julien Ahrens
  3. How anyone could have used Uber to ride for free! -
Application/Business Logic
  1. Facebook Simple Technical Bug worth 7500$ - Ashish Padelkar
  2. How I Could Steal Money from Instagram, Google and Microsoft - Arne Swinnen
SQL Injection - SQLi
  1. Popping a shell on the Oculus developer portal - Bitquark
  2. SQLi + XXE + File path traversal Deutsche Telekom - Ibrahim M. El-Sayed
  3. GitHub Enterprise SQL Injection - Orange Tsai
InDirect Object Reference - IDOR
  1. Facebook Vulnerability - Delete Any Video on Facebook - Dan Melamed
  2. Confirming new email/mobile number bug in Facebook - Lokesh Kumar
  3. How I hacked 62.5 million Zomato Users - Anand Prakash - Anand Prakash
Code Execution
  1. Facebook’s ImageTragick Story - @4lemon
  2. WD My Cloud Mirror 2.11.153 RCE and Authentication Bypass - Kacper Szurek
  3. 0day writeup: XXE in uber.com - Vladimir Ivanov
  4. Command injection which got me "6000$" from #Google - S Venkatesh
  5. Airbnb – Ruby on Rails String Interpolation led to Remote Code Execution - Ben Sadeghipour Brett Buerhaus 6.GitHub Enterprise Remote Code Execution - Markus Fenske
  6. Escaping from Restricted Shell and Gaining Root Access - Mehmet Ince
  7. GitHub Enterprise Remote Code Execution
Reverse Engineering
  1. Unfolding obfuscated code with Reven (part 1)
  2. Unfolding obfuscated code with Reven (part 2)
  3. Three roads lead to Rome - Luke Viruswalker
DNS Related
  1. Hijacking Broken Nameservers to Compromise Your Target - @IAmMandatory
  2. That (.) Which Made The Difference - Dhaval
  3. Domain Fronting Via Cloudfront Alternate Domains - Vincent Yiu
Brute-force
  1. How I could have hacked all Facebook accounts - Anand Prakash
Subdomain Takeover
  1. Hijacking tons of Instapage expired users Domains & Subdomains - @emgeekboy
  2. The story of EV-SSL, AWS and trailing dot domains - Detectify
Open URL Redirection
  1. How I discovered a 1000$ open redirect in Facebook - Yassine Aboukir
  2. Facebook Whitehat Vulnerability for 2013: Open Redirection in Facebook Mobile - Prakhar Prasad
  3. Dropbox Team Website Open Redirection - Prakhar Prasad
  4. Bypassing SoundCloud’s protection for open redirections - strukt93
Research Papers
  1. The Complete Guide to CORS (In)Security - Davide Danelon
Miscellaneous
  1. Combining host header injection and lax host parsing serving malicious data - Detectify
  2. Compromising Apache Tomcat via JMX access - NCC Group UK
  3. Facebook's Bug - Unauthorized access to credit/prepaid card details - Pranav Hivarekar
  4. Constructing an XSS vector, using no letters - Charles Neill
  5. Order Facebook Friends by Facebook Recruiting Technical Coefficient - Philippe Harewood
  6. Web Cache Deception Attack - Omer Gil
  7. Hacking Slack using postMessage and WebSocket - Frans Rosén
  8. Stealing Messenger.com Login Nonces - Stephen Sclafani
  9. Escaping a Python sandbox with a memory corruption bug - Gabe Pike
Extras
  1. Everything you need to know about HTTP security headers
  2. Helmet JS
  3. GitHub's post-CSP journey - Patrick Toomey
  4. CORS — a guided tour - Martin Splitt

Credits

Categories