Hacking Resources

This is a list of resources I started in April 2016 and will use to keep track of interesting articles. It was inspired by Philippe Harewood's (@phwd) Facebook Page https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640

Disclosures

Application Logic

06/18/2013 - https://labs.spotify.com/2013/06/18/creative-usernames/ - Creative usernames and Spotify account hijacking
06/26/2013 - Hijacking a Facebook Account with SMS - https://whitton.io/articles/hijacking-a-facebook-account-with-sms/
03/25/2014 - Phabricator Bypass auth.email-domains - https://hackerone.com/reports/2233
05/15/2016 - The Bank Job - https://boris.in/blog/2016/the-bank-job/
05/19/2016 - InstaBrute: Two Ways to Brute-force Instagram Account Credentials - https://www.arneswinnen.net/2016/05/instabrute-two-ways-to-brute-force-i...
06/06/2016 - Trello bug bounty: Payments informations are sent to the webhook - https://hethical.io/trello-bug-bounty-payments-informations-are-sent-to-...
06/07/2016 - Pwning Pornhub (memcache) - https://blog.zsec.uk/pwning-pornhub/
07/01/2016 - Magento – Re-Installation & Account Hijacking Vulnerabilities - http://netanelrub.in/2016/07/01/magento-re-installation-account-hijackin...
08/08/2016 - Free way to Facebook Freebooting | Hacking Rights Manager - http://www.7xter.com/2016/08/free-way-to-facebook-freebooting.html
08/16/2016 - Google Chrome, Firefox Address Bar Spoofing Vulnerability - http://www.rafayhackingarticles.net/2016/08/google-chrome-firefox-addres...
08/18/2016 - How I hacked an Android App to Get Free Beer - https://breakdev.org/how-i-hacked-an-android-app-to-get-free-beer/
09/02/2016 - Response To Request Injection (RTRI) - https://www.bugbountyhq.com/front/latestnews/dWRWR0thQ2ZWOFN5cTE1cXQrSFZ...
03/15/2017 - Check Point Discloses Vulnerability in Whatsapp and Telegram - http://blog.checkpoint.com/2017/03/15/check-point-discloses-vulnerabilit...
03/28/2017 - This book reads you using Javascript - https://s1gnalcha0s.github.io/ibooks/epub/2017/03/27/This-book-reads-you...

Authentication

04/27/2016 - Microsoft Office 365 SAML Bypass - http://www.economyofmechanism.com/office365-authbypass.html
04/28/2016 - Slack bot token leakage exposing business critical information - https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-b...
06/01/2016 - Taking over Heroku accounts - http://esevece.github.io/2016/06/01/taking-over-heroku-accounts.html
10/20/2016 - Slack, a Brief Journey to Mission Control - http://secalert.net/slack-security-bug-bounty.html
11/02/2016 - Bypassing Two-Factor Authentication on OWA & Office365 Portals - http://www.blackhillsinfosec.com/?p=5396
02/01/2017 - Content Injection Vulnerability in Wordpress REST API - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpres...
03/13/2017 - The road to your codebase is paved with forged assertions - http://www.economyofmechanism.com/github-saml.html
03/21/2017 - Stealing messenger.com login nonces - https://stephensclafani.com/2017/03/21/stealing-messenger-com-login-nonces/

CORS/CSP

04/04/2016 - CSP: bypassing form-action with reflected XSS - https://labs.detectify.com/2016/04/04/csp-bypassing-form-action-with-ref...
06/12/16 - Stealing cross origin DOM data with bypassing localhost navigation restriction - https://bugzilla.mozilla.org/show_bug.cgi?id=1279787
12/16/2016 - Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin...

CSRF

05/17/2016 - How I bypassed Facebook CSRF in 2016 - http://pouyadarabi.blogspot.ca/2016/05/how-i-bypassed-facebook-csrf-in-2...
19/07/2016 - Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-pic...
26/10/2016 - Google Spreadsheet Vuln - CSRF and JSON Hijacking allows data theft - https://www.rodneybeede.com/Google_Spreadsheet_Vuln_-_CSRF_and_JSON_Hija...

CSV Injection

29/01/2013 - Cell Injection: Attacking the End User Through the Application - http://blog.7elements.co.uk/2013/01/cell-injection.html
04/17/2016 - CSV Injection in business.uber.com - http://blog.daviddworken.com/posts/csv-injection-in-businessubercom/

HPP

08/23/2015 - Twitter HPP vulnerability unsubscribing from emails - http://www.merttasci.com/blog/twitter-hpp-vulnerability/
12/03/2015 - Parameter Tampering Attack on Twitter Web Intents - https://ericrafaloff.com/parameter-tampering-attack-on-twitter-web-intents/
02/02/2016 - Bypassing Digits web authentication's host validation with HPP - https://hackerone.com/reports/114169

Host Header Injection
09/06/2016 - Internet Explorer has a URL Problem - http://blog.innerht.ml/internet-explorer-has-a-url-problem/
10/24/2016 - Combining Host Header Injection and Lax Host Parsing Service Malicious Data - https://labs.detectify.com/2016/10/24/combining-host-header-injection-an...

IDOR

07/08/2014 - Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User -http://stephensclafani.com/2014/07/08/hacking-facebooks-legacy-api-part-...
06/23/2016 - UBER HACKING: HOW WE FOUND OUT WHO YOU ARE, WHERE YOU ARE AND WHERE YOU WENT! - https://labs.integrity.pt/articles/uber-hacking-how-we-found-out-who-you...
06/23/2016 - Facebook's Bug - Delete any video from Facebook - http://www.pranavhivarekar.in/2016/06/23/facebooks-bug-delete-any-video-...
08/25/2016 - How I Could Have Hacked Multiple Facebook Accounts - https:[email protected]/how-i-could-have-hacked-multiple-faceb...
11/22/2016 - You get a UUID! You get a UUID! Everybody gets a UUID! - http://www.rohk.xyz/uber-uuid/
01/23/2017 - Facebook Vulnerability to Delete Any Video - http://danmelamed.blogspot.ca/2017/01/facebook-vulnerability-delete-any-...

Information Disclosure

12/21/2016 - Disclosing the primary email address for each Facebook user - http://www.dawgyg.com/2016/12/21/disclosing-the-primary-email-address-fo...

SSRF

04/18/2016 - ESEA Server-Side Request Forgery and Querying AWS Meta Data - http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-queryin...
02/23/2016 - FFMPEG File Disclosure - https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/web/sup...
Trello Bug BOunty Access Servier Files Using Imagetragick - https://hethical.io/trello-bug-bounty-access-servers-files-using-imagetr...
03/01/2017 - Ok Google, Give Me All Your Internal DNS Information! - https://www.rcesecurity.com/2017/03/ok-google-give-me-all-your-internal-...

SSTI

04/25/2016 - Adapting AngularJS Payloads to Exploit Real World Applications - http://blog.portswigger.net/2016/04/adapting-angularjs-payloads-to-explo...

Reverse Engineering

04/19/2016 - Digging into a Facebook Worm -https://gist.githubusercontent.com/phwd/0ec21c6289543f35135e17aa11f7dec1...
07/01/2016 - How I Cracked a Keylogger and Ended Up in Someone's Inbox - https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keyl...
11/14/2016 - Hacking Team Back For Your Androids - http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/
28/02/2017 - Hacking Unicorns with Web Bluetooth - https://www.contextis.com/resources/blog/hacking-unicorns-web-bluetooth/
04/05/2017 - Defeating Device Guard: A look into CVE-2017-0007 - https://enigma0x3.net/2017/04/03/defeating-device-guard-a-look-into-cve-...

Relative Path Overwrite

03/21/2014 - Relative vs Absolute - http://www.thespanner.co.uk/2014/03/21/rpo/
02/17/2015 - Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities - http://blog.portswigger.net/2015/02/prssi.html
07/03/2016 - RPO Gadgets - http://blog.innerht.ml/rpo-gadgets/

XSS

07/06/2010 - Facebook XSS via Cross-Origin Resource Sharinghttp://maustin.net/2010/07/06/facebook_html5.html
02/14/2013 - How I got the Bug Bounty for Mega.co.nz XSS - https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-...
04/22/2015 - XSS via Host header - www.google.com/cse - http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
12/08/2015 - Creative bug which result Stored XSS on m.youtube.com - http://sasi2103.blogspot.ca/2015/12/creative-bug-which-result-stored-xss...
04/17/2016 - XSS in pypi (and Uber!) - http://blog.daviddworken.com/posts/xss-in-pypi-and-uber/
04/17/2016 - XSS in getrush.uber.com - http://blog.daviddworken.com/posts/xss-in-getrushubercom/
04/19/2016 - Using a Braun Shaver to Bypass XSS Audit and WAF - https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-...
05/09/2016 - XSS and RCE, domain takeover with remote loaded JS - http://brutelogic.com.br/blog/xss-and-rce/
06/13/2016 - Embedding XSS in SVG files - http://bini.tech/wordpress-remote-upload-unrestricted-file-upload/
07/02/2016 - OneDrive: an easter egg into MS library - XSS on Microsoft and not only - https://luc10.github.io/onedrive-an-easter-egg-into-ms-library/
07/04/2016 - Apple and the 5 XSSes - http://strukt93.blogspot.ca/2016/07/apple-and-5-xsses.html
07/19/2016 - Instagram Reflected XSS in Link Shim - http://ameeras.me/Instagram-Reflected-XSS-in-Link-Shim/
07/19/2016 - Blind XSS in Spotify - https://mhmdiaa.github.io/jekyll/update/2016/07/19/blind-xss-in-spotify....
07/22/2016 - United to XSS United - http://strukt93.blogspot.ca/2016/07/united-to-xss-united.html
08/29/2016 - Turning Self-XSS into Good XSS v2: Challenge Completed but Not Rewarded - https://httpsonly.blogspot.ca/2016/08/turning-self-xss-into-good-xss-v2....
08/31/2016 - Breaching a CA – Blind Cross-site Scripting (BXSS) in the GeoTrust SSL Operations Panel Using XSS Hunter - https://thehackerblog.com/breaching-a-ca-blind-cross-site-scripting-bxss...
09/19/2016 - Combination of techniques lead to DOM Based XSS in Google - http://sasi2103.blogspot.ca/2016/09/combination-of-techniques-lead-to-do...
12/07/2016 - Stored XSS Affecting All Fantasy Sports on Yahoo - http://dawgyg.com/2016/12/07/stored-xss-affecting-all-fantasy-sports-fan...
02/17/2017 - BetterTTV Chrome extension stored XSS - https://klikki.fi/adv/bttv.html
03/08/2017 - Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-fil...

XXE

06/25/2014 - Identifying Xml eXternal Entity vulnerability (XXE) in GPX files - http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
03/21/2015 - XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250] - https://www.insinuator.net/2015/03/xxe-injection-in-apache-batik-library...
08/14/2015 - XXE ALL THE THINGS!!! (INCLUDING APPLE IOS’S OFFICE VIEWER) - https://labs.integrity.pt/articles/xxe-all-the-things-including-apple-io...

CRLF

03/15/2015 - Parse.com - X-Forwarded-Host Injection - Bypass secure & HTTP_only Vulnerability - https://www.youtube.com/watch?v=1yUw7rtTTeI

Remote Code Execution

12/09/2013 - Remote Code Execution exploit in WordPress 3.5.1 - https://tom.vg/2013/12/wordpress-rce-exploit/
02/15/2015 - RCE in Oracle NetBeans Opensource Plugins: PrimeFaces 5.x Expression Language Injection - http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource...
11/06/2015 - Java unserialization - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss...
11/12/2015 - XSS to Remote Code Execution with HipChat - http://maustin.net/2015/11/12/hipchat_rce.html
05/04/2016 - Remote Code Execution via ImageMagick - http://pastebin.com/aE4sKnCg (file)
05/10/2016 - Exploiting ImageMagick on Polyvore (Yahoo) - http://nahamsec.com/exploiting-imagemagick-on-yahoo/
07/22/2016 - Exploiting Java Deserialization via JBoss - https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserializati...
07/25/2016 - CVE-2016-5840: Trend Micro Deep Discovery hotfix_upload.cgi filename Remote Code Execution Vulnerability - http://www.korpritzombie.com/cve-2016-5840-trend-micro-deep-discovery-ho...
08/15/2016 - Jetbrains IDE Remote Code Execution and Local File Disclosure - http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-e...
08/24/2016 - The Million Dollar Dissident - https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-...
09/21/2016 - pwn them for learn -http://bugdisclose.blogspot.ca/2016/09/pwn-them-for-learn.html
10/26/2016 - Details on the Privilege Escalation Vulnerability in Joomla - https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vuln...
01/17/2016 - Facebook's Imagetragick Story - http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution....
02/15/2016 - [Oracle] pwned by 2 RCE - https://zuh4n.blogspot.ca/2017/02/oracle-pwned-by-2-rce.html
02/28/2017 - Time Based Data Exfiltration - https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/
04/05/2017 - How we exploited a remote code execution vulnerability in math.js - https://capacitorset.github.io/mathjs/
04/11/2017 - CVE-2017-2416 Remote code execution triggered by malformed GIF in ImageIO framework, affecting most iOS/macOS apps - https://blog.flanker017.me/cve-2017-2416-gif-remote-exec/

Memory Related

5/13/2016 - 7-Zip vulnerabilities found by Talos - http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
03/28/2016 - Black box discovery of memory corruption RCE on box.com - https://scarybeastsecurity.blogspot.ca/2017/03/black-box-discovery-of-me...

Source Code Disclosure

03/27/2016 - A tale of an interesting source code leak - http://secalert.net/#scl-soh
07/19/2016 - Accessing PornHub's SVN repo - https://hackerone.com/reports/72243
07/22/2016 - Twitter's Vine Source code dump - https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
10/14/2016 - Importance of up-to-date application usage plus complex password OR from directory traversal to admin panel takeover - http://zuh4n.blogspot.ca/

SQLi

12/20/2016 - Flickr from SQLi to RCE - https://pwnrules.com/flickr-from-sql-injection-to-rce/
07/25/2016 - SQL Injection on sctrack.email.uber.com.cn - https://hackerone.com/reports/150156
01/08/2016 - Bug Bounty Github Enterprise SQL Injection - http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection...
02/28/2017 - Time-based Blind SQLi on news.starbucks.com - http://timeofcheck.com/time-based-blind-sqli-on-news-starbucks-com/

Subdomain Takeover

10/21/14 - Hostile Subdomain Takeover using Heroku/Github/Desk + more - https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-h...
12/08/14 - Hijacking of abandoned subdomains part 2 - https://labs.detectify.com/2014/12/08/hijacking-of-abandoned-subdomains-...
07/26/16 - Uber Subdomain Takeover - http://blog.eseccyber.tech/article/uber.html
09/05/2016 - How I was able to read Uber logs and internal emails - http://blog.pentestnepal.tech/post/149985438982/how-i-was-able-to-read-u...
02/02/2017 - I Got Emails - GSuite Vulnerability - http://blog.pentestnepal.tech/post/156707088037/i-got-emails-g-suite-vul...

HTML Injection

07/26/2016 - Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection - https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-...

OAuth

02/07/2014 - How I Hacked GitHub Again. - http://homakov.blogspot.ca/2014/02/how-i-hacked-github-again.html
07/20/2015 - Bypassing Google Authentication on Periscope's Administration Panel - https://whitton.io/articles/bypassing-google-authentication-on-periscope...
01/04/2016 - Bypassing callback_url validation on Digits - https://hackerone.com/reports/108113
02/29/2016 - Swiping Facebook Official Access Tokens - http://philippeharewood.com/swiping-facebook-official-access-tokens/
04/03/2016 - Obtaining Login Tokens for Outlook, Office or Azure (OAuth) - https://whitton.io/articles/obtaining-tokens-outlook-office-azure-account/
06/16/2016 - Bypass Disabled Client OAuth Login in Facebook Pages Manager App - http://philippeharewood.com/bypass-disabled-client-oauth-login-in-facebo...
10/13/2016 - CVE-2016-4977: RCE in Spring Security OAuth - http://secalert.net/#CVE-2016-4977
11/28/2016 - All your Paypal OAuth tokens belong to me - localhost for the win - http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to...

Mobile
04/12/2015 - Shopify android client all API request's response leakage - https://hackerone.com/reports/56002
07/26/2016 - Odnoklassniki Android application vulnerabilities - https://hackerone.com/reports/97295

Browser
12/06/16 - Firefox - SVG cross domain cookie vulnerability - https://insert-script.blogspot.ca/2016/12/firefox-svg-cross-domain-cooki...
04/05/17 - Defeating the popUp blocker, the XSS filter and SuperNavigate with our fake ticket to the Intranet Zone - https://www.brokenbrowser.com/free-ticket-to-the-intranet-zone/

Unserialize
02/07/2017 - Type Juggling and PHP Object Injection with SQLi - https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-inj...

Web Cache Deception
02/27/2017 - Web Cache Deception Attack - http://omergil.blogspot.ca/2017/02/web-cache-deception-attack.html

Browser Messaging API
12/08/2016 - The pitfalls of postMessage - https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/
02/28/2017 - Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token - https://labs.detectify.com/2017/02/28/hacking-slack-using-postmessage-an...
03/21/2017 - LastPass: FireFox error pages still load Content Scripts, allowing access to ExtensionProxyService - https://bugs.chromium.org/p/project-zero/issues/detail?id=1217

CTF Writeups

03/03/2013 - Unauthorized Access: Bypassing PHP strcmp() - http://danuxx.blogspot.ca/2013/03/unauthorized-access-bypassing-php-strc...
06/09/2016 - Hack in the Box 2016 – MISC400 Writeup (Part 1) - http://rileykidd.com/2016/06/09/hack-in-the-box-2016-misc400-writeup-par...
10/03/2016 - Hacking the Hard Way at the Derbycon CTF - https://labs.signalsciences.com/hacking-the-hard-way-at-the-derbycon-ctf...
BSides Ottawa CTF - Second Place! - https://blog.fletchto99.com/2016/october/bsides-ottawa/
2016 Hack the Vote - https://github.com/ctfs/write-ups-2016/tree/master/hack-the-vote-ctf-2016
BSides San Francisco CTF - http://www.i4info.in/2017/02/17/Bsides-CTF/#

Resources

Automation
Automating Web Content Discovery (Alerting) - http://offsecbyautomation.com/Automating-Web-Content-Discovery/

Backup Files Artifacts
Backup File Artifacts - http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html

Client Side Template Injection
XSS without HTML: Client-Side Template Injection with AngularJS - http://blog.portswigger.net/2016/01/xss-without-html-client-side-templat...
AngularJS Sandbox Escapes Explained - https://www.reddit.com/r/angularjs/comments/557bhr/xss_in_angularjs_vide...

CSP
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy - https://research.google.com/pubs/pub45542.html
Bypassing CSP using polyglot jpegs - http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html
GitHub's Post CSP Journey - https://githubengineering.com/githubs-post-csp-journey/

CORS
Exploiting CORS misconfigurations - http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-fo...

CSRF
Anatomy of a Subtle JSON Vulnerability - http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerabi...
Practical JSONP Injection - https://securitycafe.ro/2017/01/18/practical-jsonp-injection/
CSRF is Dead - https://scotthelme.co.uk/csrf-is-dead/
Login/logout CSRF: Time to reconsider? - https://labs.detectify.com/2017/03/15/loginlogout-csrf-time-to-reconsider/

CSV Injection
CSV Injection Mitigations - https://blog.zsec.uk/csv-dangers-mitigations/
Comma Separated Vulnerabilities - http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/

CTF
Facebook CTF - https://github.com/facebook/fbctf
Online CTF Practice challenges - https://backdoor.sdslabs.co

Encoding
Hacking with Unicode - https://speakerdeck.com/mathiasbynens/hacking-with-unicode-in-2016
Unicode Character 'PILE OF POO' - http://www.fileformat.info/info/unicode/char/1F4A9/index.htm

Exploit Development
The best resources for learning exploit development - https://www.peerlyst.com/posts/the-best-resources-for-learning-exploit-d...

GraphQL
Facebook Graphql Crash Course - https://www.facebook.com/notes/phwd/a-facebook-graphql-crash-course/1189...
The next step for realtime data in GraphQL - https://dev-blog.apollodata.com/the-next-step-for-realtime-data-in-graph...

Host Headers
Practical HTTP Host Header Attacks - http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks...

Mobile
Decompile and Recompile Android APK - https://blog.bramp.net/post/2015/08/01/decompile-and-recompile-android-apk/
How to View TLS Traffic in Android’s Logs - https://blog.securityevaluators.com/how-to-view-tls-traffic-in-androids-...
IOS Application Security Review Methodology - http://research.aurainfosec.io/ios-application-security-review-methodology/

OAuth
Attacking the OAuth Protocol - https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/
RFC 6749 The OAuth 2.0 Authorization Framework - https://tools.ietf.org/html/rfc6749
Top 10 OAuth 2 Implementation Vulnerabilities -  http://blog.intothesymmetry.com/2015/12/top-10-oauth-2-implementation.html

POCs
WordPress 4.7.0 / 4.7.1 Content Injection Proof Of Concept - https://packetstormsecurity.com/files/140901

Programming
Programming Practice (paid premium) - https://coderbyte.com/

Proxies
Running your own anonymous rotating proxies - http://blog.databigbang.com/running-your-own-anonymous-rotating-proxies/
Burp Tutorials - https://vimeo.com/album/3510171
Nicolas Grégoire Burp Pro Tips - http://www.agarri.fr/docs/HiP2k13-Burp_Pro_Tips_and_Tricks.pdf
Using Burp Suite to Brute Force HTTP Auth Attacks - http://security-geek.in/2014/08/22/using-burp-suite-to-brute-force-http-...

Recon
Abusing Dorking and Robots.txt - http://sten0.ghost.io/2016/10/13/abusing-dorking-and-robots-txt/
How I Used Google Dorks to Find 0 Days - https://www.linkedin.com/pulse/how-i-used-google-dorks-find-0-days-suraj...

SAML
Bypassing Saml 2.0 SSO - http://research.aurainfosec.io/bypassing-saml20-SSO/

Security Blog Posts
Jerry Gamblin Hacking Blog - http://jerrygamblin.com/category/hacking
Reviewing bug bounties - a hacker's perspective - http://www.skeletonscribe.net/2016/08/reviewing-bug-bounties-hackers.html
lcamtuf's blog - https://lcamtuf.blogspot.ca/
Senate Republicans were skimmed for six months, quietly fix store - https://gwillem.github.io/2016/10/04/how-republicans-send-your-credit-ca...
How Google and Bing Protect their APIs - https://rudk.ws/2016/10/23/how-google-and-bing-protects-their-api/

SQLi
Frans Rosen - Time Based Captcha Protected SQLi - http://www.slideshare.net/fransrosen/time-based-captcha-protected-sql-in...

SSRF
SSRF Bible - https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa...

Training
Open Security Training - http://opensecuritytraining.info/
OWASP Mutillidae II Web Pen-Test Practice Application - https://sourceforge.net/projects/mutillidae/
Practice CTF List / Permanant CTF List - https://captf.com/practice-ctf/
Introduction to OSINT: Recon-ng Tutorial - https://strikersecurity.com/blog/getting-started-recon-ng-tutorial/
Free Dev Books - https://devfreebooks.github.io/

Web Sockets
Cross-Site WebSocket Hijacking (CSWSH) - https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
How Cross-Site WebSocket Hijacking could lead to full Session Compromise - https://www.notsosecure.com/how-cross-site-websocket-hijacking-could-lea...

XSS
Filedescriptor XSS Polygots - http://polyglot.innerht.ml/
prompt.ml XSS Challenge - https://github.com/cure53/XSSChallengeWiki/wiki/prompt.ml#hidden-level--1
File Upload XSS - http://brutelogic.com.br/blog/file-upload-xss/
Brute Logic XSS Challenge I - http://brutelogic.com.br/blog/xss-challenge-i/
Finding XSS Slidedeck - http://slides.com/mscasharjaved/deck-13#/
XSS Polyglots - https://blog.bugcrowd.com/xss-polyglots-the-context-contest
New XXSI Vector Untold Merits of nosniff - https://www.hurricanelabs.com/blog/new-xssi-vector-untold-merits-of-nosniff
DOMXSS Wiki - https://github.com/wisec/domxsswiki/wiki

XXE
XXE Payloads in iOS - http://en.hackdig.com/08/28075.htm

Research papers

Minded Security Expression Language Injection Paper - https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
Sandboxing JavaScript in the Browser - https://var.thejh.net/thesis_excerpt.pdf
Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? - http://eprint.ncl.ac.uk/file_store/production/230123/19180242-D02E-47AC-...
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy - https://static.googleusercontent.com/media/research.google.com/en//pubs/...
Detecting DNS Tunneling - https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunnelin...
DNS - https://haxpo.nl/haxpo2015ams/wp-content/uploads/sites/4/2015/04/D1-P.-M...
Securing Frame Communication in Browsers - https://seclab.stanford.edu/websec/frames/post-message.pdf

Online Courses / Training

Cyber Security Base with F-Secure is a free course series by University of Helsinki - https://cybersecuritybase.github.io/
Vulnerable Web Applications for Learning - https://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applica...
Jame Kettle's hackxor - http://hackxor.sourceforge.net/cgi-bin/index.pl#demo
Google XSS Game - https://xss-game.appspot.com/
Google DOM Based XSS - https://public-firing-range.appspot.com/address/index.html
Code Lab: Web Application Exploits and Defenses - https://google-gruyere.appspot.com/
flAWS Challenge - https://summitroute.com/blog/2017/02/26/flaws_challenge/

Cheat Sheets

Path Traversal Cheat Sheet Linux - https://www.gracefulsecurity.com/path-traversal-cheat-sheet-linux/
XXE - https://www.gracefulsecurity.com/xxe-cheatsheet/
HTML5 Security Cheat Sheet - https://html5sec.org/
Brute XSS Cheat Sheet - http://brutelogic.com.br/blog/cheat-sheet/
MySQL SQL Injection Cheat Sheet - http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-c...
AngularJS Sandbox Bypass Collection (includes 1.5.7) - http://pastebin.com/xMXwsm0N
AngularJS Sandbox Bypass 1.5.11 - https://jsfiddle.net/89aj1n7m/
Java Deserialization - https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
Penetration testing tools cheat sheet - https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
OAuth - https://github.com/homakov/oauthsecurity
PHP htaccess Injection Cheat Sheet - https://github.com/sektioneins/pcc/wiki/PHP-htaccess-injection-cheat-sheet
Rails SQL Injection - http://rails-sqli.org/
CTF Wiki Cheatsheets - https://github.com/lucyoa/ctf-wiki/tree/master/web

Tools

Discovery
https://github.com/OJ/gobuster
Sublist3r is python tool that is designed to enumerate subdomains of websites using search engines - https://github.com/aboul3la/Sublist3r
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible - https://github.com/ChrisTruncer/EyeWitness
Smart content discovery burp plugin with context awareness - https://github.com/pathetiq/BurpSmartBuster
An automated tool that checks for backup artifacts that may discloses the web-application's source code - https://github.com/mazen160/bfac

Recon-ng
Recon-ng + Google Dorks + Burp = ... - https://averagesecurityguy.github.io/2016/10/21/recon-ng-dorks-burp/

Port Scanning
Resolve and quickly portscan a list of (sub)domains - https://github.com/melvinsh/subresolve
nMap Vulnerability Scanner: Vulscan - https://n0where.net/nmap-vulnerability-scanner-vulscan/

Mobile
JD-GUI, a standalone graphical utility that displays Java sources from CLASS files. - https://github.com/java-decompiler/jd-gui
Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis and web API testing - https://github.com/ajinabraham/Mobile-Security-Framework-MobSF
An xposed module that disables SSL certificate checking for the purposes of auditing an app with cert pinning - https://github.com/Fuzion24/JustTrustMe
Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps - https://github.com/nabla-c0d3/ssl-kill-switch2
Android APK Tool - https://ibotpeaches.github.io/Apktool/
Android Dex2Jar - https://github.com/pxb1988/dex2jar

Decompiler
JPEXS Free Flash Decompiler - https://github.com/jindrapetrik/jpexs-decompiler
Flashbang, find theflashVars of a naked SWF and display them - https://github.com/cure53/Flashbang

Java Deserialization
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization - https://github.com/frohoff/ysoserial

Password Cracking
John the Ripper - http://www.openwall.com/john/

Hash Cracking
Online Hash Crack - http://www.onlinehashcrack.com/
CyberChef - https://gchq.github.io/CyberChef/

Vulnerability SaaS
SSRF Detector - https://ssrfdetector.com/
XSSHunter - https://xsshunter.com

IP
IP Converter - https://www.psyon.org/tools/ip_address_converter.php?ip=127.0.0.1

Websockets
Cross-Site WebSocket Hijacking Tester - http://ironwasp.org/cswsh.html

HTTP Client
Inspect HTTP Requests - requestb.in
Various payloads - pingb.in