Navigation

Recon
- Scope
- ASN/CIDR
- Whois
- Company Information
- Subdomain Enumeration
  - Passive
  - Active
- Port Scan
- Probing
- Screenshot
- Content Discovery
Exploitation
- Mobile
- Bypass
  - 403
  - WAF
- Authentication
  - JWT
  - SAML
  - 2FA
  - OAuth
- Cloud
- CMS
  - Wordpress
  - Drupal
  - Others
- Vulnerabilities
  - Cache poisoning
  - Clickjacking
  - Command Injection
  - Cookie Based Attacks
  - CRLF
  - CSRF
  - CORS
  - Deserialization
  - Host Header Injection
  - IDOR
  - IIS
  - LFI
  - Open Redirect
  - Parameter Pollution
  - Path Transversal
  - Prototype Pollution
  - Request Smuggling
  - RCE
  - SSTI
  - SSRF
  - SQLi
  - Timing Attacks
  - XSS
  - XXE
- Helpers
- Other
Resources
- Regexes
- Burp Suite
- Sites
- Writeups
- Youtube channels
- Web Tools
- Repositories
- Career

PostMessage

Writeups

https://labs.detectify.com/security-guidance/the-pitfalls-of-postmessage/
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
https://trustfoundry.net/2024/07/30/a-quick-introduction-to-postmessage-xss/
https://www.yeswehack.com/learn-bug-bounty/introduction-postmessage-vulnerabilities
https://hackerone.com/reports/900619
https://book.hacktricks.xyz/pentesting-web/postmessage-vulnerabilities
https://hackerone.com/reports/231053
https://hackerone.com/reports/576532
https://hackerone.com/reports/1567186
https://hackerone.com/reports/1031644
https://hackerone.com/reports/217745
https://hackerone.com/reports/423218
https://rhynorater.github.io/postMessage-Braindump
https://vinothkumar.me/20000-facebook-dom-xss/
https://ndevtk.github.io/writeups/2023/08/18/extensions/
https://web.archive.org/web/20211016075506/https://insight.claranet.co.uk/technical-blogs/hunting-postmessage-vulnerabilities
https://medium.com/bored-engineer/xss-on-account-leagueoflegends-com-via-easyxdm-2016-75bcf9d582b5

Videos

https://www.youtube.com/watch?v=dCco6bZhUd0
https://youtu.be/6731qvqBlCE?t=2435
https://www.youtube.com/watch?v=KGsktwaxsKU

Extension

https://github.com/fransr/postMessage-tracker

Labs

https://html5.digi.ninja/
https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages
https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-a-javascript-url
https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-json-parse

Credits: https://x.com/Heli__9

LLMs SMS Verification

Built with Hugo and