Web / Bug Bounty

APIs

• API endpoints (https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d)
• API Security part 1 (https://medium.com/datadriveninvestor/api-security-testing-part-1-b0fc38228b93)
• 31 Tips for pentesting APIs (https://medium.com/bugbountywriteup/31-tips-api-security-pentesting-480b5998b765)
• 31 Tips (drive document) (https://docs.google.com/spreadsheets/d/1jn3JnWzQFZW41gKo5Fhxwf2ke2w-pvrpCGhBmKhyIBE/edit#gid=0)
• IDOR/BOLA through API (https://medium.com/@inonst/a-deep-dive-on-the-most-critical-api-vulnerability-bola-1342224ec3f2)
• KeyHacks, show how to use popular APIs (https://github.com/streaak/keyhacks)

Server-Side Injections

• SQL Injections filter bypass (https://websec.wordpress.com/tag/sql-filter-bypass/)
• SQL Injection Cheatsheet (https://github.com/codingo/OSCP-2/blob/master/Documents/SQL%20Injection%20Cheatsheet.md)
• SSRF SVG Cheatsheet (https://github.com/allanlw/svg-cheatsheet)

Client-Side Injections

• HTML5 Security Cheatsheet (https://html5sec.org/)
• XSS Payloads (https://gbhackers.com/top-500-important-xss-cheat-sheet/)
• Polyglot XSS (https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
• AwesomeXSS Payloads (https://github.com/s0md3v/AwesomeXSS/)

PHP

• PHP Object Injections (https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection)
• PHP Vulnerability Audit Cheatsheet (https://github.com/dustyfresh/PHP-vulnerability-audit-cheatsheet)

CMS

• Attacking Drupal (https://github.com/gfoss/attacking-drupal)

BugBounty Tips

• Testing Password Reset functionnalities (https://twitter.com/HusseiN98D/status/1254888748216655872/photo/1)

Others

• Reguest Smuggling (https://portswigger.net/web-security/request-smuggling)
• The Powerfull HTTP Request Smuggling (https://medium.com/@ricardoiramar/the-powerful-http-request-smuggling-af208fafa142)
• CORS (https://portswigger.net/web-security/cors)
• Authorization Checks Made Easy (https://blog.rootrwx.com/post/2021-01-11-auth-checks-made-easy/)
• x8, Arjun, Param Miner comparison (https://4rt.one/blog/1.html)
• Web Vulnerability Analysis (https://securityonline.info/category/penetration-testing/webapp-pentest/web-vulnerability-analysis/)
• Web App Pentesting With Burp Suite Scan Profiles (https://www.whiteoaksecurity.com/blog/web-app-pentesting-burp-suite-scan-profile/)
• Subdomains Tools Review: a full and detailed comparison of subdomain enumeration tools (https://blog.yeswehack.com/yeswerhackers/subdomains-tools-review-full-detailed-comparison/)

Mobile Bug Bounty

• Bug Bounty on Android : setup your Genymotion environment for APK analysis (https://blog.yeswehack.com/yeswerhackers/bug-bounty-android-setup-genymotion-environment-apk-analysis/)