Account Takeover Methodology
Application Level DoS
Authentication Bypass
Broken-Link Hijacking
Broken Auth And Session Management
Finding CVEs
Web Page Source Code Review
EXIF Geo Data Not Stripped
File Upload Bypass
Find Origin IP
GraphQL
HTTP Desync Attack
Host-Header Attack
HTML-Injection
IDOR
JWT ATTACK
OAuth
SSTI
Sign Up Functionality
Tabnabbing
Weak Password Policy
CORS Bypasses

CORS Bypass

  1. 1.
    Origin:null
  2. 2.
    Origin:attacker.com
  3. 3.
    Origin:attacker.target.com
  4. 4.
    Origin:attackertarget.com
  5. 5.
    Origin:sub.attackertarget.com
  6. 6.
    Origin:attacker.com and then change the method Get to post/Post to Get
  7. 7.
    Origin:sub.attacker target.com
  8. 8.
    Origin:sub.attacker%target.com
  9. 9.
    Origin:attacker.com/target.com

Authors

Reference Tweets