Resources

To do:

• Add Burp scan Configs.
• Add Cyberchef Recipes.
• Add Payloads.

Default Creds: wiener:peter

Extensions:

• Turbo Intruder
• HTTP Request Smuggler
• JS Miner
• Flow / Logger++
• Active Scan++
• Hackvertor
• Auth Analyzer
• Upload Scanner

Tools:

• SQLmap
• YsoSerial Download the latest release jar from GitHub releases.
• Jython 2.7 Standalone version
• FoxyProxy (Firefox plugin)
• DOM Invader
• CyberChef DEMO and GIT Repo

Portswigger Cheatsheets:

• XXS Cheatsheet
• SQLi Cheatsheet
• SQLi Union Attacks

Stages and what to look for. Credit to Micah Van Deusen writeup

Category	Stage 1	Stage 2	Stage 3
SQL Injection		✔️	✔️
Cross-site scripting	✔️	✔️
Cross-site request forgery (CSRF)	✔️	✔️
Clickjacking	✔️	✔️
DOM-based vulnerabilities	✔️	✔️
Cross-origin resource sharing (CORS)	✔️	✔️
XML external entity (XXE) injection			✔️
Server-side request forgery (SSRF)			✔️
HTTP request smuggling	✔️	✔️
OS command injection			✔️
Server-side template injection			✔️
Directory traversal			✔️
Access control vulnerabilities	✔️	✔️
Authentication	✔️	✔️
Web cache poisoning	✔️	✔️
Insecure deserialization			✔️
HTTP Host header attacks	✔️	✔️
OAuth authentication	✔️	✔️
File upload vulnerabilities			✔️
JWT	✔️	✔️

Common Hackverter tags:

• <@urlencode><@/urlencode>
• <@urlencode_all><@/urlencode_all>
• <@d_url><@/d_url>

Learning:

Port Swigger all materials