t1

2025-10-10 18:36:50 +00:00 · 2025-01-03 01:05:32 +01:00 · 2025-01-03 01:05:32 +01:00 · ae1d2e8ee6
commit ae1d2e8ee6
parent 3855a3d041
350 changed files with 352 additions and 3 deletions
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -8,3 +8,4 @@ Thank you for contributing to HackTricks!



+
--- a/.github/workflows/translate_hi.yml
+++ b/.github/workflows/translate_hi.yml
@ -1,4 +1,4 @@
-name: Translator to IN (Hindi)
+name: Translator to HI (Hindi)

 on:
  push:
@ -10,7 +10,7 @@ on:
      - '.github/**'
  workflow_dispatch:

-concurrency: in
+concurrency: hi

 permissions:
  id-token: write
@ -22,7 +22,7 @@ jobs:
    environment: prod
    env:
      LANGUAGE: Hindi
-      BRANCH: in
+      BRANCH: hi

    steps:
      - name: Checkout code
--- a/src/1911-pentesting-fox.md
+++ b/src/1911-pentesting-fox.md
@ -29,3 +29,4 @@ InfluxDB
 {{#include ./banners/hacktricks-training.md}}


+
--- a/src/6881-udp-pentesting-bittorrent.md
+++ b/src/6881-udp-pentesting-bittorrent.md
@ -3,3 +3,4 @@
 {{#include ./banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/browser-extension-pentesting-methodology/README.md
+++ b/src/pentesting-web/browser-extension-pentesting-methodology/README.md
@ -757,3 +757,4 @@ Project Neto is a Python 3 package conceived to analyse and unravel hidden featu
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md
+++ b/src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md
@ -101,3 +101,4 @@ browext-xss-example.md
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md
+++ b/src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md
@ -113,3 +113,4 @@ However, tightening security measures often results in decreased flexibility and
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md
+++ b/src/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md
@ -118,3 +118,4 @@ Notably, the **`/html/bookmarks.html`** page is prone to framing, thus vulnerabl
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/cache-deception/README.md
+++ b/src/pentesting-web/cache-deception/README.md
@ -242,3 +242,4 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/cache-deception/cache-poisoning-to-dos.md
+++ b/src/pentesting-web/cache-deception/cache-poisoning-to-dos.md
@ -145,3 +145,4 @@ Cache: hit
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.md
+++ b/src/pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.md
@ -52,3 +52,4 @@ Several cache servers will always cache a response if it's identified as static.
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/content-security-policy-csp-bypass/README.md
+++ b/src/pentesting-web/content-security-policy-csp-bypass/README.md
@ -818,3 +818,4 @@ pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md
+++ b/src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md
@ -66,3 +66,4 @@ window.frames[0].document.head.appendChild(script)
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md
+++ b/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md
@ -263,3 +263,4 @@ XS-Search are oriented to **exfiltrate cross-origin information** abusing **side
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/dangling-markup-html-scriptless-injection/ss-leaks.md
+++ b/src/pentesting-web/dangling-markup-html-scriptless-injection/ss-leaks.md
@ -7,3 +7,4 @@
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/README.md
+++ b/src/pentesting-web/deserialization/README.md
@ -989,3 +989,4 @@ Check for more details in the [**original post**](https://github.blog/security/v
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
+++ b/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
@ -197,3 +197,4 @@ namespace DeserializationTests
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md
+++ b/src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md
@ -89,3 +89,4 @@ As you can see in this very basic example, the "vulnerability" here appears beca
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md
+++ b/src/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md
@ -5,3 +5,4 @@
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
+++ b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
@ -214,3 +214,4 @@ Check for [further information here](<https://github.com/carlospolop/hacktricks/
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
+++ b/src/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
@ -201,3 +201,4 @@ Make your payload execute something like the following:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md
+++ b/src/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md
@ -8,3 +8,4 @@ Check the posts:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md
+++ b/src/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md
@ -231,3 +231,4 @@ You can find more gadgets here: [https://deadcode.me/blog/2016/09/02/Blind-Java-
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md
+++ b/src/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md
@ -462,3 +462,4 @@ In this [**writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-l
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
+++ b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
@ -394,3 +394,4 @@ To reduce the risk of prototype pollution, the strategies listed below can be em
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md
+++ b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md
@ -116,3 +116,4 @@ Check this writeup: [https://blog.huli.tw/2022/05/02/en/intigriti-revenge-challe
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.md
+++ b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.md
@ -127,3 +127,4 @@ You could definitely use it in a bug **chain** to exploit a **prototype pollutio
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
+++ b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
@ -731,3 +731,4 @@ In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156c
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
+++ b/src/pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
@ -70,3 +70,4 @@ I needed to **call this deserialization twice**. In my testing, the first time t
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/python-yaml-deserialization.md
+++ b/src/pentesting-web/deserialization/python-yaml-deserialization.md
@ -157,3 +157,4 @@ cat /tmp/example_yaml
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/ruby-_json-pollution.md
+++ b/src/pentesting-web/deserialization/ruby-_json-pollution.md
@ -24,3 +24,4 @@ When sending in a body some values not hashabled like an array they will be adde
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/deserialization/ruby-class-pollution.md
+++ b/src/pentesting-web/deserialization/ruby-class-pollution.md
@ -419,3 +419,4 @@ It's possible to brute-force the defined classes and at some point poison the cl
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/file-inclusion/README.md
+++ b/src/pentesting-web/file-inclusion/README.md
@ -691,3 +691,4 @@ If you include any of the files `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/pha
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md
@ -43,3 +43,4 @@ For more information check the description of the Race Condition and the CTF in
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md
@ -101,3 +101,4 @@ It looks like by default Nginx supports **512 parallel connections** at the same
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md
@ -54,3 +54,4 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\
 ```


+
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md
@ -265,3 +265,4 @@ function find_vals($init_val) {
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md
@ -59,3 +59,4 @@ print('[x] Something went wrong, please try again')
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md
@ -64,3 +64,4 @@ if __name__ == "__main__":
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md
@ -34,3 +34,4 @@ For GNU/Linux systems, the randomness in temporary file naming is robust, render
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/file-inclusion/phar-deserialization.md
+++ b/src/pentesting-web/file-inclusion/phar-deserialization.md
@ -76,3 +76,4 @@ php vuln.php
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md
+++ b/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md
@ -39,3 +39,4 @@ Another writeup in [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-l
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/file-upload/README.md
+++ b/src/pentesting-web/file-upload/README.md
@ -329,3 +329,4 @@ More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-frie
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md
+++ b/src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md
@ -7,3 +7,4 @@
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/hacking-with-cookies/README.md
+++ b/src/pentesting-web/hacking-with-cookies/README.md
@ -300,3 +300,4 @@ There should be a pattern (with the size of a used block). So, knowing how are a
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/hacking-with-cookies/cookie-bomb.md
+++ b/src/pentesting-web/hacking-with-cookies/cookie-bomb.md
@ -9,3 +9,4 @@ And for more information, you can check this presentation: [https://speakerdeck.
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md
+++ b/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md
@ -24,3 +24,4 @@ Notice, that third party cookies pointing to a different domain won't be overwri
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/hacking-with-cookies/cookie-tossing.md
+++ b/src/pentesting-web/hacking-with-cookies/cookie-tossing.md
@ -67,3 +67,4 @@ cookie-bomb.md
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/http-connection-request-smuggling.md
+++ b/src/pentesting-web/http-connection-request-smuggling.md
@ -38,3 +38,4 @@ This issue can potentially be combined with [Host header attacks](https://portsw
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/http-request-smuggling/README.md
+++ b/src/pentesting-web/http-request-smuggling/README.md
@ -762,3 +762,4 @@ def handleResponse(req, interesting):
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
+++ b/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
@ -7,3 +7,4 @@
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
+++ b/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
@ -7,3 +7,4 @@
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/http-response-smuggling-desync.md
+++ b/src/pentesting-web/http-response-smuggling-desync.md
@ -132,3 +132,4 @@ Therefore, the **next request of the second victim** will be **receiving** as **
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/idor.md
+++ b/src/pentesting-web/idor.md
@ -5,3 +5,4 @@
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/iframe-traps.md
+++ b/src/pentesting-web/iframe-traps.md
@ -23,3 +23,4 @@ Ofc, the main limitations are that a **victim closing the tab or putting another
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/ldap-injection.md
+++ b/src/pentesting-web/ldap-injection.md
@ -222,3 +222,4 @@ intitle:"phpLDAPadmin" inurl:cmd.php
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/login-bypass/README.md
+++ b/src/pentesting-web/login-bypass/README.md
@ -99,3 +99,4 @@ Pages usually redirects users after login, check if you can alter that redirect
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/login-bypass/sql-login-bypass.md
+++ b/src/pentesting-web/login-bypass/sql-login-bypass.md
@ -816,3 +816,4 @@ Pass1234." and 1=0 union select "admin",sha("Pass1234.")#
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/nosql-injection.md
+++ b/src/pentesting-web/nosql-injection.md
@ -257,3 +257,4 @@ for u in get_usernames(""):
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/oauth-to-account-takeover.md
+++ b/src/pentesting-web/oauth-to-account-takeover.md
@ -235,3 +235,4 @@ If the platform you are testing is an OAuth provider [**read this to test for po
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/open-redirect.md
+++ b/src/pentesting-web/open-redirect.md
@ -187,3 +187,4 @@ exit;
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/orm-injection.md
+++ b/src/pentesting-web/orm-injection.md
@ -333,3 +333,4 @@ By brute-forcing and potentially relationships it was possible to leak more data
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/parameter-pollution.md
+++ b/src/pentesting-web/parameter-pollution.md
@ -229,3 +229,4 @@ Which might create inconsistences
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/phone-number-injections.md
+++ b/src/pentesting-web/phone-number-injections.md
@ -19,3 +19,4 @@ It's possible to **add strings at the end the phone number** that could be used
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md
+++ b/src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md
@ -245,3 +245,4 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md
+++ b/src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md
@ -45,3 +45,4 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/postmessage-vulnerabilities/README.md
+++ b/src/pentesting-web/postmessage-vulnerabilities/README.md
@ -239,3 +239,4 @@ For **more information**:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md
+++ b/src/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md
@ -34,3 +34,4 @@ And in order to be precise and **send** that **postmessage** just **after** the
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md
+++ b/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md
@ -76,3 +76,4 @@ That **payload** will get the **identifier** and send a **XSS** it **back to the
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md
+++ b/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md
@ -86,3 +86,4 @@ The final solution by [**@terjanq**](https://twitter.com/terjanq) is the [**foll
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md
+++ b/src/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md
@ -33,3 +33,4 @@ This is specially useful in **postMessages** because if a page is sending sensit
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/proxy-waf-protections-bypass.md
+++ b/src/pentesting-web/proxy-waf-protections-bypass.md
@ -228,3 +228,4 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascri
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/race-condition.md
+++ b/src/pentesting-web/race-condition.md
@ -396,3 +396,4 @@ In [**WS_RaceCondition_PoC**](https://github.com/redrays-io/WS_RaceCondition_PoC
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/rate-limit-bypass.md
+++ b/src/pentesting-web/rate-limit-bypass.md
@ -57,3 +57,4 @@ Note that even if a rate limit is in place you should try to see if the response
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/registration-vulnerabilities.md
+++ b/src/pentesting-web/registration-vulnerabilities.md
@ -182,3 +182,4 @@ hacking-jwt-json-web-tokens.md
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/regular-expression-denial-of-service-redos.md
+++ b/src/pentesting-web/regular-expression-denial-of-service-redos.md
@ -82,3 +82,4 @@ Regexp (a+)*$ took 723 milliseconds.
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/reset-password.md
+++ b/src/pentesting-web/reset-password.md
@ -189,3 +189,4 @@ uuid-insecurities.md
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/reverse-tab-nabbing.md
+++ b/src/pentesting-web/reverse-tab-nabbing.md
@ -83,3 +83,4 @@ Prevention information are documented into the [HTML5 Cheat Sheet](https://cheat
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/saml-attacks/README.md
+++ b/src/pentesting-web/saml-attacks/README.md
@ -306,3 +306,4 @@ with open("/home/fady/uberSAMLOIDAUTH") as urlList:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/saml-attacks/saml-basics.md
+++ b/src/pentesting-web/saml-attacks/saml-basics.md
@ -167,3 +167,4 @@ In conclusion, XML Signatures provide flexible ways to secure XML documents, wit
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
+++ b/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
@ -246,3 +246,4 @@ xslt-server-side-injection-extensible-stylesheet-language-transformations.md
 {{#include ../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/README.md
+++ b/src/pentesting-web/sql-injection/README.md
@ -548,3 +548,4 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/cypher-injection-neo4j.md
+++ b/src/pentesting-web/sql-injection/cypher-injection-neo4j.md
@ -10,3 +10,4 @@ Check the following blogs:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/ms-access-sql-injection.md
+++ b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
@ -195,3 +195,4 @@ Where **name\[i] is a .mdb filename** and **realTable is an existent table** wit
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/mssql-injection.md
+++ b/src/pentesting-web/sql-injection/mssql-injection.md
@ -272,3 +272,4 @@ exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/mysql-injection/README.md
+++ b/src/pentesting-web/sql-injection/mysql-injection/README.md
@ -184,3 +184,4 @@ mysql> select version();
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
+++ b/src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
@ -29,3 +29,4 @@ Automation of these processes can be facilitated by tools such as SQLMap, which
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/oracle-injection.md
+++ b/src/pentesting-web/sql-injection/oracle-injection.md
@ -161,3 +161,4 @@ Another package I have used in the past with varied success is the [`GETCLOB()`
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/postgresql-injection/README.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/README.md
@ -91,3 +91,4 @@ SELECT $TAG$hacktricks$TAG$;
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
@ -83,3 +83,4 @@ It's noted that **large objects may have ACLs** (Access Control Lists), potentia
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md
@ -9,3 +9,4 @@
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
@ -111,3 +111,4 @@ SELECT testfunc();
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
@ -121,3 +121,4 @@ select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
@ -353,3 +353,4 @@ print("    drop function connect_back(text, integer);")
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md
@ -324,3 +324,4 @@ rce-with-postgresql-extensions.md
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/sqlmap.md
+++ b/src/pentesting-web/sql-injection/sqlmap.md
@ -193,3 +193,4 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/sqlmap/README.md
+++ b/src/pentesting-web/sql-injection/sqlmap/README.md
@ -225,3 +225,4 @@ Remember that **you can create your own tamper in python** and it's very simple.
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
+++ b/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
@ -79,3 +79,4 @@ sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy
 {{#include ../../../banners/hacktricks-training.md}}


+
--- a/src/pentesting-web/ssrf-server-side-request-forgery/README.md
+++ b/src/pentesting-web/ssrf-server-side-request-forgery/README.md
@ -382,3 +382,4 @@ SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP



+
--- a/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
+++ b/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
@ -659,3 +659,4 @@ Rancher's metadata can be accessed using:
 {{#include ../../banners/hacktricks-training.md}}


+
--- a/Show More
+++ b/Show More
				`@ -29,3 +29,4 @@ InfluxDB`
				`{{#include ./banners/hacktricks-training.md}}`
				`@ -3,3 +3,4 @@`
				`{{#include ./banners/hacktricks-training.md}}`
				`@ -757,3 +757,4 @@ Project Neto is a Python 3 package conceived to analyse and unravel hidden featu`
				`{{#include ../../banners/hacktricks-training.md}}`
				`@ -101,3 +101,4 @@ browext-xss-example.md`
				`{{#include ../../banners/hacktricks-training.md}}`
				`@ -113,3 +113,4 @@ However, tightening security measures often results in decreased flexibility and`
				`{{#include ../../banners/hacktricks-training.md}}`
				@ -118,3 +118,4 @@ Notably, the `/html/bookmarks.html` page is prone to framing, thus vulnerabl
				`{{#include ../../banners/hacktricks-training.md}}`
				`@ -242,3 +242,4 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S`
				`{{#include ../../banners/hacktricks-training.md}}`
				`@ -145,3 +145,4 @@ Cache: hit`
				`{{#include ../../banners/hacktricks-training.md}}`
				`@ -52,3 +52,4 @@ Several cache servers will always cache a response if it's identified as static.`
				`{{#include ../../banners/hacktricks-training.md}}`
				`@ -818,3 +818,4 @@ pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);`
				`{{#include ../../banners/hacktricks-training.md}}`