Bug Bounty - GitBook

@GitBook_s/Basic Authentication

.

@GitBook_s/SSL vs TLS vs SSH

@GitBook_s/DNS in One Picture

.

@GitBook_s/WAF-Bypass https://waf-bypass.dev/ Building WAF-Bypass.dev: A Small Tool for Learning Web Payload Obfuscation When you spend time learning web application security, you quickly realize that payloads are only one part of the story. A payload may work in a local lab, but behave differently when it goes through filters, input validation, encoding layers, proxies, or a Web Application Firewall. That gap between “the payload is technically valid” and “the payload actually reaches the application the way you expect” is where things become interesting.

@GitBook_s pwn.college hack-me.fr ringzer0ctf.com exploit.education sixhackacademy.com cryptohack.org appsecmaster.net google-gruyere.appspot.com http://zenk-security.com https://github.com/tegal1337/0l4bs http://hackthissite.org

برای برنامه‌نویسایی که با انگلیسی مشکل دارن، یه کانال خوب پیدا کردم که دقیقاً سراغ همون چیزایی می‌ره که توی کار واقعی لازم می‌شه. نه از اون مدل آموزش‌های خشک گرامر، نه انگلیسی عمومیِ بی‌ربط. محتواهاش بیشتر پادکست‌محوره و روی موقعیت‌هایی کار می‌کنه که یه دولوپر واقعاً باهاشون درگیره؛ مثل میتینگ، مصاحبه کاری، خوندن داکیومنت، اصطلاحات تیم‌های خارجی و مکالمه‌های واقعی بین برنامه‌نویسا. اگه حس می‌کنی انگلیسیت توی فضای کاری و برنامه‌نویسی گیر داره، چنلشونو داشته باش: https://t.me/learnobit

@GitBook_s/Top CTF Platforms Expert: 🔗UnderTheWire - https://underthewire.tech/ 🔗AttackDefense - https://attackdefense.com/ 🔗FBCTF GitHub Archive - https://github.com/facebookarchive/fbctf 🔗Awesome CTF GitHub Repository - https://github.com/apsdehal/awesome-ctf 🔗Awesome CTF Resources GitHub - https://github.com/devploit/awesome-ctf-resources 🔗Guy in a Tuxedo GitHub - https://github.com/guyinatuxedo 🔗Pwn.tn - https://pwn.tn/ 🔗SmashTheStack - http://www.smashthestack.org/main.html

@GitBook_s/Top CTF Platforms Advanced: 🔗Hack The Box CTF - https://ctf.hackthebox.com/ 🔗VulnHub - https://vulnhub.com/ 🔗Exploit Exercises - https://exploit-exercises.com/ 🔗PortSwigger Web Security - https://portswigger.net/web-security/dashboard 🔗Challenges.re - https://challenges.re/ 🔗CryptoHack - https://cryptohack.org/ 🔗CryptoPals - https://cryptopals.com/ 🔗Rubiya CTF - https://los.rubiya.kr/

@GitBook_s/Top CTF Platforms Intermediate: 🔗TryHackMe - https://tryhackme.com/ 🔗Flare-On - https://flare-on11.ctfd.io/ 🔗CTFtime - https://ctftime.org/ 🔗Pwn College - https://pwn.college/ 🔗OWASP WebGoat - https://owasp.org/www-project-webgoat/ 🔗PentesterLab - https://pentesterlab.com/exercises 🔗CMD Challenge - https://cmdchallenge.com/ 🔗Hacksplaining - https://hacksplaining.com/lessons

@GitBook_s/Top CTF Platforms Beginner: 🔗picoCTF - https://play.picoctf.org/ 🔗TryHackMe - https://tryhackme.com/ 🔗CTFlearn - https://ctflearn.com/ 🔗Hacker101 CTF - https://ctf.hacker101.com/ 🔗LegitBS - https://legitbs.net/ 🔗OverTheWire - https://overthewire.org/ 🔗Crackmes.one - https://crackmes.one/ 🔗CyberTalents - https://cybertalents.com/challenges/all

@gitbook_s/jq

@GitBook_s/ Python Ethical Hacking Course Collection https://drive.google.com/drive/folders/1Uc1I973Cg7Mo6j_KYgsHReC0kR9Jq-OM (Python Basics • Network Programming • Linux Commands • Information Gathering • Port Scanning • Ethical Hacking Tools)

@GitBook_s/Source Code Review & Patch Analysis[from git & GitHub][white box pentesting] Finding Vulns in Source Code: Many modern bug bounty targets are fully or partially open-source. If you can read code on GitHub, you can spot flaws (like SQL injection or IDOR) before testing the live app. [1, 2, 3, 4, 5] Analyzing Commit Histories: Developers often push security patches to GitHub. By inspecting recent commits (git log or git diff), you can figure out what vulnerability they tried to fix, which frequently allows you to find a patch-bypass technique. [1, 2, 3] Digging for Digital Ghosts: Deleting a file in a repository using git rm does not erase its history. If you know how to navigate Git history, you can find active AWS keys, API tokens, and database passwords hidden in old or "deleted" configuration files. [1]

@GitBook_s/Source Code Review & Patch Analysis[from git & GitHub][white box pentesting] Finding Vulns in Source Code: Many modern bug bounty targets are fully or partially open-source. If you can read code on GitHub, you can spot flaws (like SQL injection or IDOR) before testing the live app. [1, 2, 3, 4, 5] Analyzing Commit Histories: Developers often push security patches to GitHub. By inspecting recent commits (git log or git diff), you can figure out what vulnerability they tried to fix, which frequently allows you to find a patch-bypass technique. [1, 2, 3] Digging for Digital Ghosts: Deleting a file in a repository using git rm does not erase its history. If you know how to navigate Git history, you can find active AWS keys, API tokens, and database passwords hidden in old or "deleted" configuration files. [1]

@GitBook_s/Will learning Git & GitHub help in bug bounty? Yes, learning Git and GitHub is highly valuable for bug bounty hunting. Many critical vulnerabilities arise from poorly configured Git repositories or leaked source code.

XSS Filter Bypass: mXSS @GitBook_s