translations 1

.github/pull_request_template.md

@@ -6,3 +6,4 @@ We value your knowledge and encourage you to share content. Please ensure that y
 
 Thank you for contributing to HackTricks!
 
+

.github/workflows/translate_af.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_de.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_el.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_es.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_fr.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_in.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_it.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_ja.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_ko.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_pl.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_pt.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_sr.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_sw.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_tr.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_uk.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

.github/workflows/translate_zh.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: 3.8
+          python-version: 3.12
 
       - name: Install python dependencies
         run: |

book.toml

@@ -1,5 +1,5 @@
 [book]
-authors = ["Carlos Polop"]
+authors = ["HackTricks Team"]
 language = "en"
 multilingual = false
 src = "src"

src/1911-pentesting-fox.md

@@ -27,3 +27,4 @@ InfluxDB
 ![](<images/image (341).png>)
 
 {{#include ./banners/hacktricks-training.md}}
+

src/6881-udp-pentesting-bittorrent.md

@@ -1,3 +1,4 @@
 {{#include ./banners/hacktricks-training.md}}
 
 {{#include ./banners/hacktricks-training.md}}
+

src/LICENSE.md

@@ -170,3 +170,4 @@ Creative Commons may be contacted at [creativecommons.org](http://creativecommon
 ```
 
 {{#include ./banners/hacktricks-training.md}}
+

src/android-forensics.md

@@ -25,3 +25,4 @@ Create an [android backup using adb](mobile-pentesting/android-app-pentesting/ad
 Use Linux Memory Extractor (LiME) to extract the RAM information. It's a kernel extension that should be loaded via adb.
 
 {{#include ./banners/hacktricks-training.md}}
+

src/burp-suite.md

@@ -15,3 +15,4 @@
 [https://github.com/h3xstream/http-script-generator](https://github.com/h3xstream/http-script-generator)
 
 {{#include ./banners/hacktricks-training.md}}
+

src/emails-vulns.md

@@ -7,3 +7,4 @@
 ##
 
 {{#include ./banners/hacktricks-training.md}}
+

src/interesting-http.md

@@ -37,3 +37,4 @@ You can override this rule using an HTML meta tag (the attacker needs to exploit
 Never put any sensitive data inside GET parameters or paths in the URL.
 
 {{#include ./banners/hacktricks-training.md}}
+

src/online-platforms-with-api.md

@@ -119,3 +119,4 @@ Search by domain and email and get if it was pwned and passwords. Commercial?
 [https://www.nmmapper.com/sys/tools/subdomainfinder/](https://www.nmmapper.com/) \(in a commercial tool?\)
 
 {{#include ./banners/hacktricks-training.md}}
+

src/pentesting-web/file-inclusion/README.md

@@ -734,3 +734,4 @@ Stay informed with the newest bug bounties launching and crucial platform update
 **Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md

@@ -41,3 +41,4 @@ However, there is a check in the web server that **prevents loading files that c
 For more information check the description of the Race Condition and the CTF in [https://balsn.tw/ctf_writeup/20191228-hxp36c3ctf/#includer](https://balsn.tw/ctf_writeup/20191228-hxp36c3ctf/#includer)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md

@@ -99,3 +99,4 @@ Yes, it's possible to generate 100000 temporary files in an EC2 medium size inst
 It looks like by default Nginx supports **512 parallel connections** at the same time (and this number can be improved).
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md

@@ -52,3 +52,4 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\
 ```
 
 ```
+

src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md

@@ -273,3 +273,4 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and
 {% embed url="https://academy.8ksec.io/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md

@@ -71,3 +71,4 @@ print('[x] Something went wrong, please try again')
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md

@@ -62,3 +62,4 @@ if __name__ == "__main__":
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md

@@ -32,3 +32,4 @@ In certain situations, a more specific mask (like `php1<<` or `phpA<<`) might be
 For GNU/Linux systems, the randomness in temporary file naming is robust, rendering the names neither predictable nor susceptible to brute force attacks. Further details can be found in the referenced documentation.
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/file-inclusion/phar-deserialization.md

@@ -82,3 +82,4 @@ php vuln.php
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/file-inclusion/via-php_session_upload_progress.md

@@ -37,3 +37,4 @@ More information in the original writeup [https://blog.orange.tw/2018/10/](https
 Another writeup in [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/file-upload/README.md

@@ -337,3 +337,4 @@ If you are interested in **hacking career** and hack the unhackable - **we are h
 {% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md

@@ -5,3 +5,4 @@
 **Check [https://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.html](https://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.html)**
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/hacking-with-cookies/README.md

@@ -298,3 +298,4 @@ There should be a pattern (with the size of a used block). So, knowing how are a
 - [https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie](https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/hacking-with-cookies/cookie-bomb.md

@@ -7,3 +7,4 @@ A nice **example** can be seen in this write-up: [https://hackerone.com/reports/
 And for more information, you can check this presentation: [https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=26](https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=26)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md

@@ -22,3 +22,4 @@ Notice, that third party cookies pointing to a different domain won't be overwri
 > Check this in [**this post with a lab**](https://www.sjoerdlangkemper.nl/2020/05/27/overwriting-httponly-cookies-from-javascript-using-cookie-jar-overflow/).
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/hacking-with-cookies/cookie-tossing.md

@@ -65,3 +65,4 @@ cookie-bomb.md
 - [**Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities**](https://www.youtube.com/watch?v=F_wAzF4a7Xg)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/http-request-smuggling/README.md

@@ -774,3 +774,4 @@ def handleResponse(req, interesting):
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md

@@ -5,3 +5,4 @@
 **Check the post [https://portswigger.net/research/browser-powered-desync-attacks](https://portswigger.net/research/browser-powered-desync-attacks)**
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md

@@ -5,3 +5,4 @@
 **Check the post [https://portswigger.net/research/http-2-downgrades](https://portswigger.net/research/http-2-downgrades)**
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/login-bypass/README.md

@@ -107,3 +107,4 @@ Pages usually redirects users after login, check if you can alter that redirect
 {% embed url="https://www.rootedcon.com/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/login-bypass/sql-login-bypass.md

@@ -828,3 +828,4 @@ Pass1234." and 1=0 union select "admin",sha("Pass1234.")#
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md

@@ -243,3 +243,4 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md

@@ -43,3 +43,4 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/postmessage-vulnerabilities/README.md

@@ -237,3 +237,4 @@ For **more information**:
 - To practice: [https://github.com/yavolo/eventlistener-xss-recon](https://github.com/yavolo/eventlistener-xss-recon)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md

@@ -32,3 +32,4 @@ win?.postMessage(buffer, '*', [buffer.buffer]);
 And in order to be precise and **send** that **postmessage** just **after** the **iframe** is created but **before** it's **ready** to receive the data from the parent, you will need to **play with the miliseconds of a `setTimeout`**.
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md

@@ -74,3 +74,4 @@ That **payload** will get the **identifier** and send a **XSS** it **back to the
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md

@@ -84,3 +84,4 @@ The final solution by [**@terjanq**](https://twitter.com/terjanq) is the [**foll
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md

@@ -31,3 +31,4 @@ This is specially useful in **postMessages** because if a page is sending sensit
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/saml-attacks/README.md

@@ -304,3 +304,4 @@ with open("/home/fady/uberSAMLOIDAUTH") as urlList:
 - [https://blog.fadyothman.com/how-i-discovered-xss-that-affects-over-20-uber-subdomains/](https://blog.fadyothman.com/how-i-discovered-xss-that-affects-over-20-uber-subdomains/)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/saml-attacks/saml-basics.md

@@ -165,3 +165,4 @@ In conclusion, XML Signatures provide flexible ways to secure XML documents, wit
 - [https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/README.md

@@ -571,3 +571,4 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup
 {% embed url="https://www.rootedcon.com/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/cypher-injection-neo4j.md

@@ -8,3 +8,4 @@ Check the following blogs:
 - [https://infosecwriteups.com/the-most-underrated-injection-of-all-time-cypher-injection-fa2018ba0de8](https://infosecwriteups.com/the-most-underrated-injection-of-all-time-cypher-injection-fa2018ba0de8)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/ms-access-sql-injection.md

@@ -193,3 +193,4 @@ Where **name\[i] is a .mdb filename** and **realTable is an existent table** wit
 - [http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/mssql-injection.md

@@ -270,3 +270,4 @@ exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
 - [https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/mysql-injection/README.md

@@ -191,3 +191,4 @@ mysql> select version();
 {% embed url="https://www.rootedcon.com/" %}
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md

@@ -27,3 +27,4 @@ The process varies if the `@@plugin_dir` is not writable, especially for MySQL v
 Automation of these processes can be facilitated by tools such as SQLMap, which supports UDF injection, and for blind SQL injections, output redirection or DNS request smuggling techniques may be utilized.
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/oracle-injection.md

@@ -159,3 +159,4 @@ A `ORA-12541: TNS:no listener` or a `TNS:operation timed out` is a sign that the
 Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/postgresql-injection/README.md

@@ -99,3 +99,4 @@ If you are interested in **hacking career** and hack the unhackable - **we are h
 {% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md

@@ -81,3 +81,4 @@ select lo_unlink(173454);  -- Deletes the specified large object
 It's noted that **large objects may have ACLs** (Access Control Lists), potentially restricting access even to objects created by your user. However, older objects with permissive ACLs may still be accessible for content exfiltration.
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md

@@ -7,3 +7,4 @@
 **Check the solution from:** [**https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md**](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md

@@ -109,3 +109,4 @@ SELECT testfunc();
 ```
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md

@@ -119,3 +119,4 @@ select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');
 ```
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md

@@ -351,3 +351,4 @@ print("    drop function connect_back(text, integer);")
 - [https://www.exploit-db.com/papers/13084](https://www.exploit-db.com/papers/13084)
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md

@@ -322,3 +322,4 @@ rce-with-postgresql-extensions.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/sqlmap.md

@@ -191,3 +191,4 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
 | xforwardedfor.py             | Append a fake HTTP header 'X-Forwarded-For'                                                                                        |
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/sqlmap/README.md

@@ -237,3 +237,4 @@ Remember that **you can create your own tamper in python** and it's very simple.
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md

@@ -77,3 +77,4 @@ sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy
 ```
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/ssrf-server-side-request-forgery/README.md

@@ -403,3 +403,4 @@ Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&u
 Get Access Today:
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
+

src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md

@@ -657,3 +657,4 @@ Rancher's metadata can be accessed using:
 - `curl http://rancher-metadata/<version>/<path>`
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md

@@ -5,3 +5,4 @@
 Check **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)**
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md

@@ -221,3 +221,4 @@ image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-
 - [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/ssti-server-side-template-injection/README.md

@@ -1121,3 +1121,4 @@ If you think it could be useful, read:
 {% embed url="https://www.rootedcon.com/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/ssti-server-side-template-injection/el-expression-language.md

@@ -248,3 +248,4 @@ Check [https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/](https://h1pm
 - [https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt](https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md

@@ -366,3 +366,4 @@ The request will be urlencoded by default according to the HTTP format, which ca
 - [https://hackmd.io/@Chivato/HyWsJ31dI](https://hackmd.io/@Chivato/HyWsJ31dI)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/unicode-injection/README.md

@@ -50,3 +50,4 @@ Emoji lists:
 - [https://unicode.org/emoji/charts-14.0/full-emoji-list.html](https://unicode.org/emoji/charts-14.0/full-emoji-list.html)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/unicode-injection/unicode-normalization.md

@@ -104,3 +104,4 @@ The tool [**recollapse**](https://github.com/0xacb/recollapse) \*\*\*\* allows t
 - [**https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/web-vulnerabilities-methodology/README.md

@@ -127,3 +127,4 @@ These vulnerabilities might help to exploit other vulnerabilities.
 - [ ] [**Unicode Normalization vulnerability**](../unicode-injection/)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xs-search/README.md

@@ -964,3 +964,4 @@ Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banne
 Get Access Today:
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %}
+

src/pentesting-web/xs-search/connection-pool-by-destination-example.md

@@ -115,3 +115,4 @@ Let's see how this exploit work:
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xs-search/connection-pool-example.md

@@ -526,3 +526,4 @@ In the exploit you can see:
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md

@@ -60,3 +60,4 @@ The following **script** taken from [**here**](https://blog.huli.tw/2022/05/05/e
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xs-search/css-injection/README.md

@@ -781,3 +781,4 @@ So, if the font does not match, the response time when visiting the bot is expec
 - [https://x-c3ll.github.io/posts/CSS-Injection-Primitives/](https://x-c3ll.github.io/posts/CSS-Injection-Primitives/)
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/xs-search/css-injection/css-injection-code.md

@@ -280,3 +280,4 @@ input[value=]{list-style:url(http://localhost:5001/end?token=&)};
 ```
 
 {{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md

@@ -154,3 +154,4 @@ Let's check the code:
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xs-search/javascript-execution-xs-leak.md

@@ -71,3 +71,4 @@ Main page that generates iframes to the previous `/guessing` page to test each p
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xs-search/performance.now-+-force-heavy-task.md

@@ -103,3 +103,4 @@ In this challenge the user could sent thousands of chars and if the flag was con
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xs-search/performance.now-example.md

@@ -55,3 +55,4 @@ document.addEventListener("DOMContentLoaded", main)
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xs-search/url-max-length-client-side.md

@@ -73,3 +73,4 @@ if __name__ == '__main__':
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xss-cross-site-scripting/README.md

@@ -1753,3 +1753,4 @@ If you are interested in **hacking career** and hack the unhackable - **we are h
 {% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md

@@ -107,3 +107,4 @@ For an example of this check the reference link.
 - [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md

@@ -27,3 +27,4 @@ Verification that the disk cache was utilized can be confirmed through the use o
 For further details on bfcache and disk cache, references can be found at [web.dev on bfcache](https://web.dev/i18n/en/bfcache/) and [Chromium's design documents on disk cache](https://www.chromium.org/developers/design-documents/network-stack/disk-cache/), respectively.
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md

@@ -30,3 +30,4 @@ This will **copy the JS file locally** and you will be able to **modify that cop
 - [https://www.youtube.com/watch?v=BW\_-RCo9lo8\&t=1529s](https://www.youtube.com/watch?v=BW_-RCo9lo8&t=1529s)
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xss-cross-site-scripting/dom-clobbering.md

@@ -249,3 +249,4 @@ It's possible to add **new entries inside a form** just by **specifying the `for
 - Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker.
 
 {{#include ../../banners/hacktricks-training.md}}
+

src/pentesting-web/xss-cross-site-scripting/dom-invader.md

@@ -89,3 +89,4 @@ In the previous image it's possible to see that DOM clobbering scan can be turne
 - [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering)
 
 {{#include ../../banners/hacktricks-training.md}}
+