Awesome
Awesome Security Write-Ups and POCs
A curated list of delightful writeups and POCs
Not mine not yours, It's everyone's. Feel free to contribute.
Submitting new resource :
Please read the Contribution Doc
Content
- Cross Site Scripting - XSS
- Cross Site Request Frogery - CSRF
- Server Side Request Frogery - SSRF
- Application/Business Logic
- SQL Injection - SQLi
- InDirect Object Reference - IDOR
- Code Execution
- Reverse Engineering
- DNS Related
- Brute-force
- Subdomain Takeover
- Open URL Redirection
- Research Papers
- Miscellaneous
Resource
Blogs/Write ups
Cross Site Scripting - XSS
- XSS that existed at accounts.google.com - @kinugawamasato
- admin.google.com Reflected Cross-Site Scripting (XSS) - @bbuerhaus - Vulnerable
continue
parameter,https://admin.google.com/mrzioto.com/ServiceNotAllowed?service=grandcentral&continue=javascript:alert(document.cookie);//
- XSS-es in Google Caja - @SecurityMB
- Content Types and XSS: Facebook Studio - @fin1te - Client-side validation for content-type, Which then enables to pass
HTML/Javascript
to execute XSS - Facebook XSS via Cross-Origin Resource Sharing - @mattaustin
- Stored XSS at Parse - Dhaval - No URL validation, Thus allowing
javascript:alert(1)
in URL parameter leading to XSS - XSS in OAuth flow of Paypal - Dhaval
- Reflected XSS through AngularJS sandbox bypass...McDonald - @finnwea
- Coming across an XSS vulnerability at Google sites is wrong I expected - ikuta_T
- Hacking Google for fun and profit - Manish Bhattacharya
- Unpatched (0day) jQuery Mobile XSS - EDUARDO VELA
- Reflected XSS in Etsy - Harry M Gertos
- Sleeping stored Google XSS Awakens a $5000 Bounty - Patrik Fehrenbach
- admin.google.com Reflected Cross-Site Scripting (XSS) - Brett Buerhaus
- Stored XSS at exchange.onavo.com - Dhaval
- Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF - Brett Buerhaus
- How I found a $5,000 Google Maps XSS - Marin Moulinier
Cross Origin Resource Sharing Exploitation
Cross Site Request Frogery - CSRF
Server Side Request Frogery - SSRF
- SSRF at Facebook Update Subscription Menu - Dhaval
- Ok Google, Give Me All Your Internal DNS Information - Julien Ahrens
- How anyone could have used Uber to ride for free! -
Application/Business Logic
- Facebook Simple Technical Bug worth 7500$ - Ashish Padelkar
- How I Could Steal Money from Instagram, Google and Microsoft - Arne Swinnen
SQL Injection - SQLi
- Popping a shell on the Oculus developer portal - Bitquark
- SQLi + XXE + File path traversal Deutsche Telekom - Ibrahim M. El-Sayed
- GitHub Enterprise SQL Injection - Orange Tsai
InDirect Object Reference - IDOR
- Facebook Vulnerability - Delete Any Video on Facebook - Dan Melamed
- Confirming new email/mobile number bug in Facebook - Lokesh Kumar
- How I hacked 62.5 million Zomato Users - Anand Prakash - Anand Prakash
Code Execution
- Facebook’s ImageTragick Story - @4lemon
- WD My Cloud Mirror 2.11.153 RCE and Authentication Bypass - Kacper Szurek
- 0day writeup: XXE in uber.com - Vladimir Ivanov
- Command injection which got me "6000$" from #Google - S Venkatesh
- Airbnb – Ruby on Rails String Interpolation led to Remote Code Execution - Ben Sadeghipour Brett Buerhaus 6.GitHub Enterprise Remote Code Execution - Markus Fenske
- Escaping from Restricted Shell and Gaining Root Access - Mehmet Ince
- GitHub Enterprise Remote Code Execution
Reverse Engineering
- Unfolding obfuscated code with Reven (part 1)
- Unfolding obfuscated code with Reven (part 2)
- Three roads lead to Rome - Luke Viruswalker
DNS Related
- Hijacking Broken Nameservers to Compromise Your Target - @IAmMandatory
- That (.) Which Made The Difference - Dhaval
- Domain Fronting Via Cloudfront Alternate Domains - Vincent Yiu
Brute-force
Subdomain Takeover
- Hijacking tons of Instapage expired users Domains & Subdomains - @emgeekboy
- The story of EV-SSL, AWS and trailing dot domains - Detectify
Open URL Redirection
- How I discovered a 1000$ open redirect in Facebook - Yassine Aboukir
- Facebook Whitehat Vulnerability for 2013: Open Redirection in Facebook Mobile - Prakhar Prasad
- Dropbox Team Website Open Redirection - Prakhar Prasad
- Bypassing SoundCloud’s protection for open redirections - strukt93
Research Papers
Miscellaneous
- Combining host header injection and lax host parsing serving malicious data - Detectify
- Compromising Apache Tomcat via JMX access - NCC Group UK
- Facebook's Bug - Unauthorized access to credit/prepaid card details - Pranav Hivarekar
- Constructing an XSS vector, using no letters - Charles Neill
- Order Facebook Friends by Facebook Recruiting Technical Coefficient - Philippe Harewood
- Web Cache Deception Attack - Omer Gil
- Hacking Slack using postMessage and WebSocket - Frans Rosén
- Stealing Messenger.com Login Nonces - Stephen Sclafani
- Escaping a Python sandbox with a memory corruption bug - Gabe Pike
- Uploading web.config for Fun and Profit 2 - Soroush Dalili
Extras
- Everything you need to know about HTTP security headers
- Helmet JS
- GitHub's post-CSP journey - Patrick Toomey
- CORS — a guided tour - Martin Splitt