translate 1

src/pentesting-web/browser-extension-pentesting-methodology/README.md

@@ -756,3 +756,4 @@ Project Neto is a Python 3 package conceived to analyse and unravel hidden featu
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md

@@ -100,3 +100,4 @@ browext-xss-example.md
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md

@@ -112,3 +112,4 @@ However, tightening security measures often results in decreased flexibility and
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md

@@ -117,3 +117,4 @@ Notably, the **`/html/bookmarks.html`** page is prone to framing, thus vulnerabl
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/cache-deception/README.md

@@ -256,3 +256,4 @@ Get Access Today:
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/cache-deception/cache-poisoning-to-dos.md

@@ -144,3 +144,4 @@ Cache: hit
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.md

@@ -51,3 +51,4 @@ Several cache servers will always cache a response if it's identified as static.
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/content-security-policy-csp-bypass/README.md

@@ -862,3 +862,4 @@ Stay informed with the newest bug bounties launching and crucial platform update
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md

@@ -65,3 +65,4 @@ window.frames[0].document.head.appendChild(script)
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/dangling-markup-html-scriptless-injection/README.md

@@ -262,3 +262,4 @@ XS-Search are oriented to **exfiltrate cross-origin information** abusing **side
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/dangling-markup-html-scriptless-injection/ss-leaks.md

@@ -6,3 +6,4 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/README.md

@@ -978,3 +978,4 @@ Check for more details in the [**original post**](https://github.blog/security/v
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md

@@ -196,3 +196,4 @@ namespace DeserializationTests
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md

@@ -88,3 +88,4 @@ As you can see in this very basic example, the "vulnerability" here appears beca
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md

@@ -4,3 +4,4 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md

@@ -221,3 +221,4 @@ Check for [further information here](<https://github.com/carlospolop/hacktricks/
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md

@@ -200,3 +200,4 @@ Make your payload execute something like the following:
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md

@@ -7,3 +7,4 @@ Check the posts:
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md

@@ -230,3 +230,4 @@ You can find more gadgets here: [https://deadcode.me/blog/2016/09/02/Blind-Java-
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md

@@ -461,3 +461,4 @@ In this [**writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-l
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md

@@ -393,3 +393,4 @@ To reduce the risk of prototype pollution, the strategies listed below can be em
 
 {{#include ../../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md

@@ -115,3 +115,4 @@ Check this writeup: [https://blog.huli.tw/2022/05/02/en/intigriti-revenge-challe
 
 {{#include ../../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.md

@@ -126,3 +126,4 @@ You could definitely use it in a bug **chain** to exploit a **prototype pollutio
 
 {{#include ../../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md

@@ -729,3 +729,5 @@ In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156c
 - [https://portswigger.net/research/server-side-prototype-pollution](https://portswigger.net/research/server-side-prototype-pollution)
 
 {{#include ../../../banners/hacktricks-training.md}}
+
+

src/pentesting-web/deserialization/php-deserialization-+-autoload-classes.md

@@ -69,3 +69,4 @@ I needed to **call this deserialization twice**. In my testing, the first time t
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/python-yaml-deserialization.md

@@ -156,3 +156,4 @@ cat /tmp/example_yaml
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/deserialization/ruby-class-pollution.md

@@ -418,3 +418,4 @@ It's possible to brute-force the defined classes and at some point poison the cl
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/file-inclusion/README.md

@@ -735,3 +735,4 @@ Stay informed with the newest bug bounties launching and crucial platform update
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md

@@ -42,3 +42,4 @@ For more information check the description of the Race Condition and the CTF in
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md

@@ -100,3 +100,4 @@ It looks like by default Nginx supports **512 parallel connections** at the same
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md

@@ -53,3 +53,4 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\
 
 ```
 
+

src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md

@@ -274,3 +274,4 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md

@@ -72,3 +72,4 @@ print('[x] Something went wrong, please try again')
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md

@@ -63,3 +63,4 @@ if __name__ == "__main__":
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md

@@ -33,3 +33,4 @@ For GNU/Linux systems, the randomness in temporary file naming is robust, render
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/file-inclusion/phar-deserialization.md

@@ -83,3 +83,4 @@ php vuln.php
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/file-inclusion/via-php_session_upload_progress.md

@@ -38,3 +38,4 @@ Another writeup in [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-l
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/file-upload/README.md

@@ -338,3 +338,4 @@ If you are interested in **hacking career** and hack the unhackable - **we are h
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md

@@ -6,3 +6,4 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/hacking-with-cookies/README.md

@@ -299,3 +299,4 @@ There should be a pattern (with the size of a used block). So, knowing how are a
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/hacking-with-cookies/cookie-bomb.md

@@ -8,3 +8,4 @@ And for more information, you can check this presentation: [https://speakerdeck.
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md

@@ -23,3 +23,4 @@ Notice, that third party cookies pointing to a different domain won't be overwri
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/hacking-with-cookies/cookie-tossing.md

@@ -66,3 +66,4 @@ cookie-bomb.md
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/http-request-smuggling/README.md

@@ -775,3 +775,4 @@ def handleResponse(req, interesting):
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md

@@ -6,3 +6,4 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md

@@ -6,3 +6,4 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/ldap-injection.md

@@ -231,3 +231,4 @@ If you are interested in **hacking career** and hack the unhackable - **we are h
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/login-bypass/README.md

@@ -108,3 +108,4 @@ Pages usually redirects users after login, check if you can alter that redirect
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/login-bypass/sql-login-bypass.md

@@ -829,3 +829,4 @@ Pass1234." and 1=0 union select "admin",sha("Pass1234.")#
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/nosql-injection.md

@@ -280,3 +280,4 @@ Get Access Today:
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=nosql-injection" %}
 
+

src/pentesting-web/oauth-to-account-takeover.md

@@ -240,3 +240,4 @@ If the platform you are testing is an OAuth provider [**read this to test for po
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/open-redirect.md

@@ -196,3 +196,4 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/orm-injection.md

@@ -332,3 +332,4 @@ By brute-forcing and potentially relationships it was possible to leak more data
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/parameter-pollution.md

@@ -234,3 +234,4 @@ Which might create inconsistences
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/phone-number-injections.md

@@ -18,3 +18,4 @@ It's possible to **add strings at the end the phone number** that could be used
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md

@@ -244,3 +244,4 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md

@@ -44,3 +44,4 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/postmessage-vulnerabilities/README.md

@@ -238,3 +238,4 @@ For **more information**:
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md

@@ -33,3 +33,4 @@ And in order to be precise and **send** that **postmessage** just **after** the
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md

@@ -75,3 +75,4 @@ That **payload** will get the **identifier** and send a **XSS** it **back to the
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md

@@ -85,3 +85,4 @@ The final solution by [**@terjanq**](https://twitter.com/terjanq) is the [**foll
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md

@@ -32,3 +32,4 @@ This is specially useful in **postMessages** because if a page is sending sensit
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/proxy-waf-protections-bypass.md

@@ -233,3 +233,4 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascri
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/race-condition.md

@@ -411,3 +411,4 @@ Get Access Today:
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=race-condition" %}
 
+

src/pentesting-web/rate-limit-bypass.md

@@ -72,3 +72,4 @@ Get Access Today:
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=rate-limit-bypass" %}
 
+

src/pentesting-web/registration-vulnerabilities.md

@@ -181,3 +181,4 @@ hacking-jwt-json-web-tokens.md
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/regular-expression-denial-of-service-redos.md

@@ -81,3 +81,4 @@ Regexp (a+)*$ took 723 milliseconds.
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/reset-password.md

@@ -218,3 +218,4 @@ Stay informed with the newest bug bounties launching and crucial platform update
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/reverse-tab-nabbing.md

@@ -82,3 +82,4 @@ Prevention information are documented into the [HTML5 Cheat Sheet](https://cheat
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/saml-attacks/README.md

@@ -305,3 +305,4 @@ with open("/home/fady/uberSAMLOIDAUTH") as urlList:
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/saml-attacks/saml-basics.md

@@ -166,3 +166,4 @@ In conclusion, XML Signatures provide flexible ways to secure XML documents, wit
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md

@@ -245,3 +245,4 @@ xslt-server-side-injection-extensible-stylesheet-language-transformations.md
 
 {{#include ../banners/hacktricks-training.md}}
 
+

src/pentesting-web/sql-injection/README.md

@@ -572,3 +572,4 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/sql-injection/cypher-injection-neo4j.md

@@ -9,3 +9,4 @@ Check the following blogs:
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/sql-injection/ms-access-sql-injection.md

@@ -194,3 +194,4 @@ Where **name\[i] is a .mdb filename** and **realTable is an existent table** wit
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/sql-injection/mssql-injection.md

@@ -271,3 +271,4 @@ exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
 
 {{#include ../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/sql-injection/mysql-injection/README.md

@@ -192,3 +192,4 @@ mysql> select version();
 
 {{#include ../../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md

@@ -28,3 +28,4 @@ Automation of these processes can be facilitated by tools such as SQLMap, which
 
 {{#include ../../../banners/hacktricks-training.md}}
 
+

src/pentesting-web/sql-injection/oracle-injection.md

@@ -160,3 +160,4 @@ Another package I have used in the past with varied success is the [`GETCLOB()`
 
 {{#include ../../banners/hacktricks-training.md}}
 
+